Hello, Thanks for your patch: I think it is definitely a good idea to flush connections that are no longer up to date with the configuration files. Did you manage to make an updated patch?
I have another related problem: I have two CA certificates in ipsec.d/cacerts. I can see them using "ipsec listcacerts" If I remove one of them and perform a "ipsec rereadcacerts", I can see in charon's log that the only remaining CA certificate is reloaded. However, I still see the two CA certs using the "ipsec listcacerts" command. "ipsec purgecerts" does not seem to help. Remote peers successfully manage to authenticate using the removed CA cert, that is quite annoying. Any idea? Best Regards, Emeric ----- Mail original ----- De: "Christophe Gouault" <[email protected]> À: "Martin Willi" <[email protected]> Cc: [email protected] Envoyé: Jeudi 2 Octobre 2014 10:13:33 Objet: Re: [strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection 2014-10-02 10:08 GMT+02:00 Martin Willi <[email protected]>: > Hi Christophe, > > Thanks for your patch. > >> Do a little cleanup when deleting a connection via "ipsec update" >> command: >> - delete all established CHILD_SAs >> - unroute the connection >> - delete IKE_SAs that have no more CHILD_SAs >> - delete the connection >> - make sure to refuse an undesired negotiation request from the peer, >> by deleting the connection before terminating it. > > These chances certainly make sense in some scenarios. However, the > behavioral change is non-trivial. That an "update" of connections > deletes all associated SAs is not that obvious, especially as we did not > do that before. I'd guess we'd break many scripted installations with > that change. > > If we introduce such a behavioral change, I think we need to make that > optional, and probably disable it by default. > > Regards > Martin Hi Martin, You're right, this makes sense. I'll provide an update that makes it optional. Best regards, Christophe _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
