Hi Karuna, > Would `ipsec update` also work when I update the cert thumbprint in > ipsec.secrets file?
I'm not exactly sure what you are referring to with "cert thumbprint", but changed certificates are not detected by `update` unless the name has changed. And ipsec.secrets and files in ipsec.d subfolders are (re-)loaded with separate commands, never with `update` or `reload`. > I'm assuming that until the IKE SA is re-negotiated the > existing IKE SA and child ESP SA will continue to work, correct? Since existing connections are not affected by config changes that's the case anyway. However, e.g. as client if the SA is reauthenticated, and the certificate expired, for instance, the old certificate of the existing connection would be used. So if the config is updated due to such a change, it's necessary to manually terminate and re-establish the SA. Regards, Tobias
