Hi Karuna, > As you clarified `ipsec update` or `ipsec reload` don't pick up the > changes in ipsec.secrets and ipsec.d subfolders. Which command > load/reloads the changes in ipsec.secrets and ipsec.d subfolders?
See [1]. But I'd actually recommend you switch to swanctl/vici [2], which can handle such stuff much better. For one, changed certificates referenced in configs are detected, and you can even avoid referencing certificates (just configure the identity) and (re-)load them separately. > Would > this command terminate and re-establish the SA? No, as I said before, existing connections are not affected by config changes. > And with the intent to > avoid network disruption and since authentication only takes place when > IKE SA is first established or re-negotiated, is there a way to make the > new certificate effective only when the IKE SA is re-negotiated? Depends on whether you are responder or initiator of the reauthentication and whether the certificate is explicitly referenced in the config. As responder the new config/certificate would be picked up, as initiator only if the certificate is not explicitly referenced in the config. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/ipseccommand [2] https://wiki.strongswan.org/projects/strongswan/wiki/swanctl
