Hello, Unfortunately, I am facing an issue with this patch. For example, we may want to update the configuration file since the remote host's IP address has changed. When charon receives the terminate stroke message, it sends the DELETE message but it may take minutes before giving up if the remote host is down! Therefore the new configuration may be applied several minutes later, which is quite unexpected.
What do you think? Emeric ----- Mail original ----- De: "Christophe Gouault" <[email protected]> À: "Emeric POUPON" <[email protected]> Cc: "Martin Willi" <[email protected]>, [email protected] Envoyé: Jeudi 29 Janvier 2015 16:52:12 Objet: Re: [strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection 2015-01-29 15:18 GMT+01:00 Emeric POUPON <[email protected]>: > Hello, > > Thanks for your patch: I think it is definitely a good idea to flush > connections that are no longer up to date with the configuration files. > Did you manage to make an updated patch? Hello Emeric, I had to switch to priority tasks, so I let this patch in standby (long term standby ;-)). I'll try to find some time to add an option in strongswan.conf. > I have another related problem: > I have two CA certificates in ipsec.d/cacerts. I can see them using "ipsec > listcacerts" > If I remove one of them and perform a "ipsec rereadcacerts", I can see in > charon's log that the only remaining CA certificate is reloaded. > However, I still see the two CA certs using the "ipsec listcacerts" command. > "ipsec purgecerts" does not seem to help. > Remote peers successfully manage to authenticate using the removed CA cert, > that is quite annoying. > > Any idea Obviously additional clean up is desirable. Best Regards, Christophe _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
