Hi Christophe, Thanks for your patch.
> Do a little cleanup when deleting a connection via "ipsec update" > command: > - delete all established CHILD_SAs > - unroute the connection > - delete IKE_SAs that have no more CHILD_SAs > - delete the connection > - make sure to refuse an undesired negotiation request from the peer, > by deleting the connection before terminating it. These chances certainly make sense in some scenarios. However, the behavioral change is non-trivial. That an "update" of connections deletes all associated SAs is not that obvious, especially as we did not do that before. I'd guess we'd break many scripted installations with that change. If we introduce such a behavioral change, I think we need to make that optional, and probably disable it by default. Regards Martin _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
