Hi James, >>> Up to and including StrongSwan 5.0 'ipsec reload' would only >>> re-initialize tunnels that have been changed in the configuration. >> >> Actually, `ipsec reload` always removed and re-added ALL connections not >> only the changed ones. Use `ipsec update` to only reload the changed >> connections. > > In our case, `ipsec reload` removes all policies from the Policies DB > and does not re-add them. > > If however there are no policies in the Policies DB it adds them again.
`reload` should not directly affect existing connections unless `auto=route` is used (and even then policies should get re-added). Connections with `auto=start` do probably get initiated, though, so that might have an effect on existing connections (especially if you reload connections on both involved hosts concurrently). Could you provide logs that show the behavior you describe above? #397 could be an issue if multiple conn sections in your config get merged (i.e. added as child configs to one single IKE config). And as described in #129 `ipsec reload` also has an effect on existing connections when they are later rekeyed. So using `update` instead is definitely preferable (for changed connections these bugs still apply so they should probably be terminated before updating the config). Regards, Tobias _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
