Hello Fabrice, I checked in the patch
http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=ea1c20d14be22ca4dc91f9d984d7406b210c0cd6 which allows you to initiate or route a child config which doesn't have a corresponding peer config of the same name as is the case in our setup. Thus if you have updated the e.g. the child config 'net-3' in the SQL database then you just execute ipsec down net-3{*} ipsec up net-3 and the modified CHILD_SA will be up again. Kind regards Andreas On 03/01/2011 04:05 PM, Andreas Steffen wrote: > Hello Fabrice, > > sorry for the delay in answering your questions but I was quite > busy due to the start of the spring term at our university. > > On 03/01/2011 10:40 AM, CETIAD - Fabrice Barconnière wrote: >> Hello, >> >> I've configurated strongswan with sqlite database beetween one gateway >> (sphynx) and several others (amon1, amon2, ... up to six hundred). >> Connections are beetween sphynx subnets and amon subnets (sometimes >> beetween amon subnets). >> Text file join to this mail shows my network infrastructure. >> >> On sphynx, start_action and dpd_action are set to 0. >> On amon, start_action and dpd_action are set to 2. >> >> 1) When sqlite database is modified, how apply the updates without >> restarting ipsec ? >> ipsec update command doesn't work in my configuration. >> Is there an other way to do that or some fields should be set to >> specific values ? >> > The "ipsec update" command does not work with connection configurations > stored in an SQL database. The command just checks for any changes in > ipsec.conf and communicates them to the charon daemon via the stroke > socket interface. > > I made some database changes in CHILD_SA net-3 and > > ipsec statusall shows the changes immediately. > ipsec down net-3 does not work but > ipsec down net-3{3} takes the CHILD_SA down > ipsec up net-3 doesn't work so we have a real problem here > > You find the detailed output in the moon.statusall attachment. > > ipsec down net-net takes down the IKE_SA and all three CHILD_SAs > ipsec up net-net does not start up them again so we have a problem > > I have to look into this. It should be possible to take down single > CHILD_SAs and/or IKE_SAs and start them again without having to > restart the whole daemon. > >> 2) How Dead Peer Dectection works ? >> When ipsec is restarted on sphynx, connections stay down on amon-- >> gateways. >> Is there special values to set in database ? >> > I loaded the sql/net2net-start-pem scenario > > http://www.strongswan.org/uml/testresults/sql/net2net-start-pem/ > > which is closely modelled after your setup and has the DPD settings > > moon: start_action = 2 (start), dpd_action = 2 (restart) > sun: start_action = 0 (add), dpd_action = 0 (clear) > > I started the scenario and let it run for a couple of minutes in order > to show that DPD informational messages are exchanged. I then blocked > the access to sun so that moon was starting to retransmit and after > 5 unanswered retransmission moon deleted all SAs and tried to > reconnect. I then enabled access to sun again and the IKE_SA and > all 3 CHILD_SAs were automatically re-established. You can find my > log as attachment "moon.daemon.log". > > If you restart charon on sun by executing "ipsec restart" then > the IKE_SA and the CHILD_SAs are deleted by exchanging DELETE notifies > and the connection doesn't come up again automatically. This is normal > behaviour and doesn't have anything to do with DPD. Up must then > start up the SAs either on moon or sun manually. > >> Thanks >> >> Fabrice >> > > Best regards > > Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
