Hi Tobias, I'm referring to certification rotation when I say certificate thumbprint changed. In this case, the following are updated - certificate references in the ipsec.secrets and ipsec.conf files, new file containing the certificate itself in ipsec.d/private and ipsec.d/certs. We are retaining the same CN for the certificate, however the thumbprint, expiry and other properties change on the certificate.
As you clarified `ipsec update` or `ipsec reload` don't pick up the changes in ipsec.secrets and ipsec.d subfolders. Which command load/reloads the changes in ipsec.secrets and ipsec.d subfolders? Would this command terminate and re-establish the SA? And with the intent to avoid network disruption and since authentication only takes place when IKE SA is first established or re-negotiated, is there a way to make the new certificate effective only when the IKE SA is re-negotiated? --karuna On Wed, Sep 16, 2020 at 2:32 AM Tobias Brunner <[email protected]> wrote: > Hi Karuna, > > > Would `ipsec update` also work when I update the cert thumbprint in > > ipsec.secrets file? > > I'm not exactly sure what you are referring to with "cert thumbprint", > but changed certificates are not detected by `update` unless the name > has changed. And ipsec.secrets and files in ipsec.d subfolders are > (re-)loaded with separate commands, never with `update` or `reload`. > > > I'm assuming that until the IKE SA is re-negotiated the > > existing IKE SA and child ESP SA will continue to work, correct? > > Since existing connections are not affected by config changes that's the > case anyway. However, e.g. as client if the SA is reauthenticated, and > the certificate expired, for instance, the old certificate of the > existing connection would be used. So if the config is updated due to > such a change, it's necessary to manually terminate and re-establish the > SA. > > Regards, > Tobias >
