[Openswan Users] How to reload ipsec.conf without disconnecting unaffected tunnels?

Steve Leung kesteve at kesteve.com
Fri Jul 19 03:47:33 UTC 2013


Hi Nick,


Thanks, this is something close to my need, but I hope there is a command
to reload certs without knowing the Connection Name. To be precise, I found
a command from StrongSWAN:

*ipsec reload*

sends a *USR1* signal to ipsec starter which in turn reloads the whole
configuration on the running IKE daemon charon based on the actual
ipsec.conf. Currently established connections are not affected by
configuration changes.

The description is actually what I want however this is not available in
OpenSWAN.


Best regards,
Steve



2013/7/15 Nick Howitt <n1ck.h0w1tt at gmail.com>

> **
>
> For a single tunnel try "ipsec auto --replace {conn-name}".
>
> On 2013-07-15 07:05, Timmy wrote:
>
> On Ubuntu:
> service ipsec
> {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
>
>
>
>  Thank you for rescuing this email from spam.
>
> Does anyone have any idea to reload ipsec config without affecting the
> existing tunnels?
>
>
> Best regards,
> Steve
>
>
>
> 2013/7/5 Steve Leung <kesteve at kesteve.com>
>
>>     Hi guys,
>>
>> I have OpenSWAN running when system boot, with several connections
>> defined, one of them is using X.509 certificate.
>>
>> My system clock will be reset every time when I restart the system, (i.e.
>> reset to Jan 01 2010), and the time will be corrected by NTP within a few
>> minutes after boot. The problem is, when pluto start and try to load the
>> certs, it will complain: "X.509 certificate is not valid until Aug 16
>> 09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run
>> "ipsec setup restart" after NTP corrected the time, but this will
>> disconnect all the existing connections.
>>
>> Is there any commands to reload the certs? There is `ipsec auto
>> --rereadall` but it only reload the cacerts/crls/etc but not for
>> /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
>> /etc/ipsec.conf).
>>
>> Is it possible to reload the configuration file without interrupting
>> established connections?
>>
>> Thank you :)
>>
>> Best regards,
>> Steve
>>
>>
>
>
> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130719/2452fe40/attachment-0001.html>


More information about the Users mailing list