[Openswan Users] How to reload ipsec.conf without disconnecting unaffected tunnels?

Steve Leung kesteve at kesteve.com
Mon Aug 12 04:28:01 UTC 2013 

Sorry for my late reply.

--rereadall will not read leftcert and rightcert in /etc/ipsec.conf, it
does reread CA, AA, CRL, etc. To be precise, they are: "REREAD_SECRETS |
REREAD_CACERTS | REREAD_AACERTS | REREAD_OCSPCERTS | REREAD_ACERTS |
REREAD_CRLS".

which do not include "leftcert" and "rightcert" (i.e.
/etc/ipsec.d/certs/)... The only method seems to be --delete/--add (or
--replace), anyway, now my setup is using --delete/--add the specific
connection to solve the problem. Thanks for all your help on this.


Best regards,
Steve



2013/7/20 Leto <letoams at gmail.com>

> ipsec auto --rereadall
>
> I don't see how it can not reload your certs
>
>
> sent from a tiny device
>
> On 2013-07-18, at 23:47, Steve Leung <kesteve at kesteve.com> wrote:
>
> Hi Nick,
>
>
> Thanks, this is something close to my need, but I hope there is a command
> to reload certs without knowing the Connection Name. To be precise, I found
> a command from StrongSWAN:
>
> *ipsec reload*
>
> sends a *USR1* signal to ipsec starter which in turn reloads the whole
> configuration on the running IKE daemon charon based on the actual
> ipsec.conf. Currently established connections are not affected by
> configuration changes.
>
> The description is actually what I want however this is not available in
> OpenSWAN.
>
>
> Best regards,
> Steve
>
>
>
> 2013/7/15 Nick Howitt <n1ck.h0w1tt at gmail.com>
>
>> **
>>
>> For a single tunnel try "ipsec auto --replace {conn-name}".
>>
>> On 2013-07-15 07:05, Timmy wrote:
>>
>> On Ubuntu:
>> service ipsec
>> {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
>>
>>
>>
>>  Thank you for rescuing this email from spam.
>>
>> Does anyone have any idea to reload ipsec config without affecting the
>> existing tunnels?
>>
>>
>> Best regards,
>> Steve
>>
>>
>>
>> 2013/7/5 Steve Leung <kesteve at kesteve.com>
>>
>>>     Hi guys,
>>>
>>> I have OpenSWAN running when system boot, with several connections
>>> defined, one of them is using X.509 certificate.
>>>
>>> My system clock will be reset every time when I restart the system,
>>> (i.e. reset to Jan 01 2010), and the time will be corrected by NTP within a
>>> few minutes after boot. The problem is, when pluto start and try to load
>>> the certs, it will complain: "X.509 certificate is not valid until Aug 16
>>> 09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run
>>> "ipsec setup restart" after NTP corrected the time, but this will
>>> disconnect all the existing connections.
>>>
>>> Is there any commands to reload the certs? There is `ipsec auto
>>> --rereadall` but it only reload the cacerts/crls/etc but not for
>>> /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
>>> /etc/ipsec.conf).
>>>
>>> Is it possible to reload the configuration file without interrupting
>>> established connections?
>>>
>>> Thank you :)
>>>
>>> Best regards,
>>> Steve
>>>
>>>
>>
>>
>> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
>> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130812/d650937a/attachment.html>

More information about the Users mailing list