2014-10-02 10:08 GMT+02:00 Martin Willi <[email protected]>: > Hi Christophe, > > Thanks for your patch. > >> Do a little cleanup when deleting a connection via "ipsec update" >> command: >> - delete all established CHILD_SAs >> - unroute the connection >> - delete IKE_SAs that have no more CHILD_SAs >> - delete the connection >> - make sure to refuse an undesired negotiation request from the peer, >> by deleting the connection before terminating it. > > These chances certainly make sense in some scenarios. However, the > behavioral change is non-trivial. That an "update" of connections > deletes all associated SAs is not that obvious, especially as we did not > do that before. I'd guess we'd break many scripted installations with > that change. > > If we introduce such a behavioral change, I think we need to make that > optional, and probably disable it by default. > > Regards > Martin
Hi Martin, You're right, this makes sense. I'll provide an update that makes it optional. Best regards, Christophe _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
