However, re the possible bug, if you then do an "ipsec auto --start" the
xfrm policy at the *local end only* does reflect the new conn definition
and the removed subnet disappears from the local xfrm policy. At the
remote end the xfrm policy remains for the deleted subnet.
On 28/01/2018 09:26, Nick Howitt wrote:
Hi Paul,
I've been playing around with leftsubnet and leftsubnets to see if
either leftsubnet can be used for multiple subnets (it can't) or if
leftsubnets can be used for a single subnet (it can with or without
the braces). Is there any disadvantage of using leftsubnets for a
single subnet apart form it appending an instantiation marker to the
conn name?
While doing this checking I was using the "ipsec auto --replace"
command and I think I have a problem. If you have leftsubnets={subnetA
subnetB}, xfrm policies are put in place for both subnets. If you
change your file and remove subnetB from leftsubnets and do an "ipsec
auto --replace" it leaves the xfrm policy for subnetB in place rather
than remove it. Is this the expected behaviour? It is like it reads
the updated file and uses this to change the conn but it only changes
the bits it sees from the file and not the bit that was removed.
Regards,
Nick
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
