Project

General

Profile

Bug #6624

changes in IPsec config should down the connection

Added by Chris Buechler almost 5 years ago. Updated about 4 years ago.

Status:
Confirmed
Priority:
Normal
Category:
IPsec
Target version:
-
Start date:
07/18/2016
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.2.x
Affected Architecture:
Release Notes:
Default

Description

The fact that strongswan doesn't take down an established connection after changing the config has lead to a number of support issues and user complaints. racoon would drop any existing connections upon changing of that connection's config. Many support cases and forum threads of changes not being applied have this as the root cause. Usually either where a config mismatch was created, but not realized until hours later when the existing expires, or after having added or removed networks with IKEv2 which don't work until manually disconnecting the connection on the status page.

Just doing an 'ipsec down conX' for the connection when the config is changed will address.

History

#1 Updated by Jim Thompson over 4 years ago

  • Assignee set to Renato Botelho

#2 Updated by Lars Pedersen about 4 years ago

As a sidenote: When using IPsec mobile clients with PSK keys it would be preferred not to take the entire IPsec service down when adding a new PSK key. Currently the ipsec service does nothing when adding new keys and we have to execute "ipsec rereadsecrets". So a solution where adding PSK keys and afterwards call "ipsec rereadsecrets" would be nice instead of all connected mobile clients are kicked out every time a new user is added.

Also available in: Atom PDF