Hello, Thanks for your response >> I was thinking about restoring this flush during libcharon >> initialization/deinitialization. > > Why?
Well, if the daemon crashes it restarts in a desynchronized state with the kernel, which is difficult to debug/monitor. Examples: - there is some IPsec traffic for quite a long time but charon has no IKE SA negotiated (no stat, no monitoring available using charon), - if you perform a config reload just after a crash and the connection is no longer in the configuration, you will end up with the previous SA not flushed (we have a patch to remove the IKE SA/CHILD SA on deleted connections), - if you perform an "ipsec stop" after a crash, nothing is done. We could imagine an option (disabled by default) to enable this flush during startup? _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
