Project

General

Profile

Actions

Bug #12075

closed

Changes to an existing IPsec configuration are not applied on HA secondary after XMLRPC sync

Added by Jim Pingle over 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Viktor Gurov
Category:
XMLRPC
Target version:
Start date:
06/23/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When synchronizing settings over XMLRPC, the secondary only reconfigures the IPsec daemon if IPsec is enabled or disabled as a whole and not for other changes.

If a setting is changed on an existing setup, such as altering a PSK or adding a new tunnel, the secondary gets the settings in config.xml but they are not activated in strongswan. For example, new settings are not reflected in /var/etc/swanctl.conf until something else comes along and reloads them (e.g. manually, reboot, etc).

Normally the settings should be applied on sync, but in some cases that could lead to the secondary interfering in active tunnels, so testing and care is needed to ensure it is not disruptive. Settings could also be applied during transition to CARP master but that could be prone to timing issues.


Related issues

Related to Bug #12566: IPsec initiates on HA backup node when a tunnel interface is set to a gateway groupClosedViktor Gurov

Actions
Actions

Also available in: Atom PDF