Project

General

Profile

Issue #3046

What command to reload certs?

Added by li yang 5 months ago. Updated 6 days ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.6.3
Resolution:
No feedback

Description

Hi expert,

I would like to handle cert change, which contained in /etc/ipsec.d/certs/.

In https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand, there is method to reread cacerts, to purge certs, but no method to reread certs.

If there is no such method to handle from no cert to one cert, or from one cert to no cert, or cert change, ipsec service has to be restarted, in such case, unrelevant IPsec/bypass/discard traffic is impacted.

Your comment is very appreciated.

History

#1 Updated by Tobias Brunner 5 months ago

  • Category set to configuration
  • Status changed from New to Feedback

First, don't use starter/stroke/ipsec.conf, but swanctl/vici/swanctl.conf instead (see configuration files), where you can load credentials (including end-entity certificates) separately and reloading configs also has not all the same issues it has with ipsec.conf.

In https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand, there is method to reread cacerts, to purge certs, but no method to reread certs.

That's because these are associated with connections, you have to reload them to load new certificates (and since ipsec update does not notice a changed certificate you have to use ipsec reload, which is not ideal as it replaces all config objects and that can have an impact on existing connections e.g. during rekeying).

ipsec service has to be restarted, in such case, unrelevant IPsec/bypass/discard traffic is impacted.

Restarting is also possible, use the firewall to avoid traffic leaks.

#2 Updated by Tobias Brunner 6 days ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF