[Openswan Users] How to reload ipsec.conf without disconnecting unaffected tunnels?

Sat Jul 20 04:02:09 UTC 2013

ipsec auto --rereadall

I don't see how it can not reload your certs

sent from a tiny device 

On 2013-07-18, at 23:47, Steve Leung <kesteve at kesteve.com> wrote:

> Hi Nick,
> 
> 
> Thanks, this is something close to my need, but I hope there is a command to reload certs without knowing the Connection Name. To be precise, I found a command from StrongSWAN:
> 
> ipsec reload
> 
> sends a USR1 signal to ipsec starter which in turn reloads the whole configuration on the running IKE daemon charon based on the actual ipsec.conf. Currently established connections are not affected by configuration changes.
> 
> 
> The description is actually what I want however this is not available in OpenSWAN.
> 
> 
> Best regards,
> Steve
> 
> 
> 
> 2013/7/15 Nick Howitt <n1ck.h0w1tt at gmail.com>
>> For a single tunnel try "ipsec auto --replace {conn-name}".
>> 
>> On 2013-07-15 07:05, Timmy wrote:
>> 
>>> On Ubuntu:
>>> service ipsec {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
>>> 
>>> 
>>> 
>>>> Thank you for rescuing this email from spam.
>>>> 
>>>> Does anyone have any idea to reload ipsec config without affecting the existing tunnels?
>>>> 
>>>> 
>>>> Best regards,
>>>> Steve
>>>> 
>>>> 
>>>> 
>>>> 2013/7/5 Steve Leung <kesteve at kesteve.com>
>>>>> Hi guys,
>>>>> 
>>>>> I have OpenSWAN running when system boot, with several connections defined, one of them is using X.509 certificate.
>>>>> 
>>>>> My system clock will be reset every time when I restart the system, (i.e. reset to Jan 01 2010), and the time will be corrected by NTP within a few minutes after boot. The problem is, when pluto start and try to load the certs, it will complain: "X.509 certificate is not valid until Aug 16 09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run "ipsec setup restart" after NTP corrected the time, but this will disconnect all the existing connections. 
>>>>> 
>>>>> Is there any commands to reload the certs? There is `ipsec auto --rereadall` but it only reload the cacerts/crls/etc but not for /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in /etc/ipsec.conf). 
>>>>> 
>>>>> Is it possible to reload the configuration file without interrupting established connections?
>>>>>  
>>>>> Thank you :)
>>>>> 
>>>>> Best regards,
>>>>> Steve
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Users at lists.openswan.org
>>>> https://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> 
>>> 
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> 
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130720/fa08b487/attachment.html>