Discussion:
[Openswan Users] How to reload ipsec.conf without disconnecting unaffected tunnels?
Steve Leung
2013-07-15 04:28:58 UTC
Permalink
Thank you for rescuing this email from spam.

Does anyone have any idea to reload ipsec config without affecting the
existing tunnels?


Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections
defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system, (i.e.
reset to Jan 01 2010), and the time will be corrected by NTP within a few
minutes after boot. The problem is, when pluto start and try to load the
certs, it will complain: "X.509 certificate is not valid until Aug 16
09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run
"ipsec setup restart" after NTP corrected the time, but this will
disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto
--rereadall` but it only reload the cacerts/crls/etc but not for
/etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
/etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting
established connections?
Thank you :)
Best regards,
Steve
Timmy
2013-07-15 06:05:10 UTC
Permalink
On Ubuntu:
service ipsec
{start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
Post by Steve Leung
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the
existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections
defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the
system, (i.e. reset to Jan 01 2010), and the time will be
corrected by NTP within a few minutes after boot. The problem is,
"X.509 certificate is not valid until Aug 16 09:22:00 UTC 2012 (it
is now=Jan 01 00:02:10 UTC 2010)". I'll need to run "ipsec setup
restart" after NTP corrected the time, but this will disconnect
all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto
--rereadall` but it only reload the cacerts/crls/etc but not for
/etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
/etc/ipsec.conf).
Is it possible to reload the configuration file without
interrupting established connections?
Thank you :)
Best regards,
Steve
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Nick Howitt
2013-07-15 07:21:18 UTC
Permalink
For a single tunnel try "ipsec auto --replace {conn-name}".
service ipsec {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system, (i.e. reset to Jan 01 2010), and the time will be corrected by NTP within a few minutes after boot. The problem is, when pluto start and try to load the certs, it will complain: "X.509 certificate is not valid until Aug 16 09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run "ipsec setup restart" after NTP corrected the time, but this will disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto --rereadall` but it only reload the cacerts/crls/etc but not for /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in /etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting established connections?
Thank you :)
Best regards,
Steve
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users [1]
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
_______________________________________________
***@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users [1]
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[2]
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[3]



Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Steve Leung
2013-07-19 03:47:33 UTC
Permalink
Hi Nick,


Thanks, this is something close to my need, but I hope there is a command
to reload certs without knowing the Connection Name. To be precise, I found
a command from StrongSWAN:

*ipsec reload*

sends a *USR1* signal to ipsec starter which in turn reloads the whole
configuration on the running IKE daemon charon based on the actual
ipsec.conf. Currently established connections are not affected by
configuration changes.

The description is actually what I want however this is not available in
OpenSWAN.


Best regards,
Steve
Post by Nick Howitt
**
For a single tunnel try "ipsec auto --replace {conn-name}".
service ipsec
{start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections
defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system, (i.e.
reset to Jan 01 2010), and the time will be corrected by NTP within a few
minutes after boot. The problem is, when pluto start and try to load the
certs, it will complain: "X.509 certificate is not valid until Aug 16
09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run
"ipsec setup restart" after NTP corrected the time, but this will
disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto
--rereadall` but it only reload the cacerts/crls/etc but not for
/etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
/etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting
established connections?
Thank you :)
Best regards,
Steve
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Leto
2013-07-20 04:02:09 UTC
Permalink
ipsec auto --rereadall

I don't see how it can not reload your certs

sent from a tiny device
Post by Steve Leung
Hi Nick,
ipsec reload
sends a USR1 signal to ipsec starter which in turn reloads the whole configuration on the running IKE daemon charon based on the actual ipsec.conf. Currently established connections are not affected by configuration changes.
The description is actually what I want however this is not available in OpenSWAN.
Best regards,
Steve
Post by Nick Howitt
For a single tunnel try "ipsec auto --replace {conn-name}".
service ipsec {start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
Post by Steve Leung
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system, (i.e. reset to Jan 01 2010), and the time will be corrected by NTP within a few minutes after boot. The problem is, when pluto start and try to load the certs, it will complain: "X.509 certificate is not valid until Aug 16 09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run "ipsec setup restart" after NTP corrected the time, but this will disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto --rereadall` but it only reload the cacerts/crls/etc but not for /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in /etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting established connections?
Thank you :)
Best regards,
Steve
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Steve Leung
2013-08-12 04:28:01 UTC
Permalink
Sorry for my late reply.

--rereadall will not read leftcert and rightcert in /etc/ipsec.conf, it
does reread CA, AA, CRL, etc. To be precise, they are: "REREAD_SECRETS |
REREAD_CACERTS | REREAD_AACERTS | REREAD_OCSPCERTS | REREAD_ACERTS |
REREAD_CRLS".

which do not include "leftcert" and "rightcert" (i.e.
/etc/ipsec.d/certs/)... The only method seems to be --delete/--add (or
--replace), anyway, now my setup is using --delete/--add the specific
connection to solve the problem. Thanks for all your help on this.


Best regards,
Steve
ipsec auto --rereadall
I don't see how it can not reload your certs
sent from a tiny device
Hi Nick,
Thanks, this is something close to my need, but I hope there is a command
to reload certs without knowing the Connection Name. To be precise, I found
*ipsec reload*
sends a *USR1* signal to ipsec starter which in turn reloads the whole
configuration on the running IKE daemon charon based on the actual
ipsec.conf. Currently established connections are not affected by
configuration changes.
The description is actually what I want however this is not available in OpenSWAN.
Best regards,
Steve
Post by Nick Howitt
**
For a single tunnel try "ipsec auto --replace {conn-name}".
service ipsec
{start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections
defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system,
(i.e. reset to Jan 01 2010), and the time will be corrected by NTP within a
few minutes after boot. The problem is, when pluto start and try to load
the certs, it will complain: "X.509 certificate is not valid until Aug 16
09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run
"ipsec setup restart" after NTP corrected the time, but this will
disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto
--rereadall` but it only reload the cacerts/crls/etc but not for
/etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
/etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting
established connections?
Thank you :)
Best regards,
Steve
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Steve Leung
2013-07-19 03:41:55 UTC
Permalink
Hi Timmy,

Thanks, but for openswan, seems that `ipsec setup reload` is just the same
as `ipsec setup restart`, which will disconnect all the tunnels and start
over again.


Best regards,
Steve
Post by Timmy
service ipsec
{start|stop|restart|reload|force-reload|condrestart|try-restart|status|version}
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the
existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections
defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system, (i.e.
reset to Jan 01 2010), and the time will be corrected by NTP within a few
minutes after boot. The problem is, when pluto start and try to load the
certs, it will complain: "X.509 certificate is not valid until Aug 16
09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run
"ipsec setup restart" after NTP corrected the time, but this will
disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto
--rereadall` but it only reload the cacerts/crls/etc but not for
/etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
/etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting
established connections?
Thank you :)
Best regards,
Steve
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Leto
2013-07-15 13:31:13 UTC
Permalink
ipsec auto --rereadall

sent from a tiny device
Post by Steve Leung
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system, (i.e. reset to Jan 01 2010), and the time will be corrected by NTP within a few minutes after boot. The problem is, when pluto start and try to load the certs, it will complain: "X.509 certificate is not valid until Aug 16 09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run "ipsec setup restart" after NTP corrected the time, but this will disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto --rereadall` but it only reload the cacerts/crls/etc but not for /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in /etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting established connections?
Thank you :)
Best regards,
Steve
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Steve Leung
2013-07-19 03:43:23 UTC
Permalink
Hi Leto,

Unfortunately the --rereadall option only reload the cacerts/crls/etc but
not for /etc/ipsec.d/certs (i.e. leftcert and rightcert defined in /etc/
ipsec.conf).


Best regards,
Steve
ipsec auto --rereadall
sent from a tiny device
Thank you for rescuing this email from spam.
Does anyone have any idea to reload ipsec config without affecting the existing tunnels?
Best regards,
Steve
Hi guys,
I have OpenSWAN running when system boot, with several connections
defined, one of them is using X.509 certificate.
My system clock will be reset every time when I restart the system, (i.e.
reset to Jan 01 2010), and the time will be corrected by NTP within a few
minutes after boot. The problem is, when pluto start and try to load the
certs, it will complain: "X.509 certificate is not valid until Aug 16
09:22:00 UTC 2012 (it is now=Jan 01 00:02:10 UTC 2010)". I'll need to run
"ipsec setup restart" after NTP corrected the time, but this will
disconnect all the existing connections.
Is there any commands to reload the certs? There is `ipsec auto
--rereadall` but it only reload the cacerts/crls/etc but not for
/etc/ipsec.d/certs (i.e. leftcert and rightcert defined in
/etc/ipsec.conf).
Is it possible to reload the configuration file without interrupting
established connections?
Thank you :)
Best regards,
Steve
_______________________________________________
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Loading...