Helo, > Note that a hard delete without a confirmed exchange is something we > should avoid when possible; The peer might think that the tunnel is > still alive, and sends traffic to a black hole. > > Having that said, you may try to issue two subsequent "down" commands. > The first will trigger a graceful tunnel shutdown with confirmation. > Once in the DELETING state, an additional "down" command will > immediately remove the IKE_SA.
Thanks for the tip! In order to make it work, I had to modify the terminate command of the stroke plugin in order to delete the IKE SA if a CHILD SA exists with the same name. The second call indeed remove the IKE SA immediately. > In my opinion, I think we should focus more on the swanctl interface and > the underlying vici IPC mechanism. It avoids many problems by closer > resembling the configuration hierarchy in swanctl.conf. When reloading > connections, it inverses any specified start_action, and so basically > affects established connection (not manually initiated). This is all > relatively new, and certainly far away from perfect. But as we have a > better configuration format and a proper return channel in vici, the > foundation is much better to implement such functionality. I will take some time to have a look at this new configuration interface, but I'm afraid we are likely to hit trouble too. Best Regards, Emeric _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
