[Openswan Users] How to reload ipsec.conf without disconnecting unaffected tunnels?

[Patrick Naubert]

Rescued from the spam bucket. Please remember to subscribe to the mailing list before posting to it.


From: Steve Leung <kesteve at kesteve.com>
Subject: How to reload ipsec.conf without disconnecting unaffected tunnels?
Date: 5 July, 2013 6:55:19 AM EDT
To: users at lists.openswan.org


Hi guys,

I have OpenSWAN running when system boot, with several connections defined, one of them is using X.509 certificate.

My system clock will be reset every time when I restart the system, (i.e. reset to Jan 01 2010), and the time will be corrected by NTP within a few minutes after boot. The problem is, when pluto start and try to load the certs, it will complain: "X.509 certificate is not valid until Aug 16 09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run "ipsec setup restart" after NTP corrected the time, but this will disconnect all the existing connections. 

Is there any commands to reload the certs? There is `ipsec auto --rereadall` but it only reload the cacerts/crls/etc but not for /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in /etc/ipsec.conf). 

Is it possible to reload the configuration file without interrupting established connections?

Thank you :)

Best regards,
Steve





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130705/70f678bd/attachment.html>