Hello Tobias, thank you for the answer.
Please see my response inline. > >> Up to and including StrongSwan 5.0 'ipsec reload' would only >> re-initialize tunnels that have been changed in the configuration. > > Actually, `ipsec reload` always removed and re-added ALL connections not > only the changed ones. Use `ipsec update` to only reload the changed > connections. > In our case, `ipsec reload` removes all policies from the Policies DB and does not re-add them. If however there are no policies in the Policies DB it adds them again. >> Does anyone know why all policies are removed by 'ipsec reload'? It >> seems that this should not happen UNLESS all tunnel configurations have >> been removed or change in ipsec.conf. > > Since 5.0.1 removed and changed connections with `auto=route` are > unrouted (same as `ipsec unroute <name>`), this properly allows changing > `left|rightsubnet` or `auto` for such connections. But if you use > `reload` instead of `update` all connections are considered to have > changed, so all connections are unrouted and routed again. We are not using auto=route. This appears to be either a similar or exactly the same issue that was reported here: https://wiki.strongswan.org/issues/397 Best Regards, James _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
