IPSec->SPD not updated after change in IPSec->Config

eskild

2.2-RC (i386)
built on Sun Jan 11 18:19:43 CST 2015

After deleting a ph2 entry, the entry is still visible in IPSec->SPD, and established and visible in IPSec->Overview.

Tried to "Disconnect" and restart IPSec, but same result afterwards. I have not yet tried to reload.

Edit:

• Nevermind. After clearing SA at remote peer, the SPD is correct.

eri--

The idea is that it will remain there until the SA will timeout.
After that strongswan will cleanup that automatically.

I have not thought on a bad scenario from this per se hence no further action has been taken.

eskild

Is it possible that old ph2 may blackhole traffic then before ph2 times out?
To my knowledge, the order of ph2 in SPD determins which ph2 that forwards the packets.
Say you configure new ph2 with a subnet overlapping  the old one, then the old ph2 may blackhole traffic for a period of time, depending on where the new ph2 is in the SPD list compared to the old one.

eri--

Have you tested this?
To my knowledge this is not a possible scenario!

eskild

I have verified, that after deleting a ph2 entry, the SPD is still there and the tunnel is still active. I had the following ph2 configured:

0.0.0.0/0                 10.10.12.32/28
192.168.101.37 10.10.12.33

After deleting "192.168.101.37 10.10.12.33" from the config, it was still present in the SPD and also visible at ipsec->overview.

eri--

Yeah i know its visible but it should not be usable because its pending to be deleted as long as the SA timeouts.
Did you actually see a problem with traffic or just because you see it you assume its an issue?

eskild

I am asking if it might blackhole traffic due to the fact that the old tunnel is still active (by the looks if it from the GUI).
I have not experienced that it actually will blackhole the traffic.