[Swan-dev] libreswan-git/klips doesn't remove old ip addresses from ipsec device

Wolfgang Nothdurft wolfgang at linogate.de
Wed May 7 17:33:40 EEST 2014

If the ip address of a dynamic base device changes the old ip address 
will not removed even after an ipsec restart.

The problem was introduced with the

commit eafef8377e6aa5be0001d4b61c48cbee3e8097c4
Author: Paul Wouters <pwouters at redhat.com>
Date:   Fri Mar 28 19:05:56 2014 -0400

     _stackmanager: optimize unloading stacks


With this change the ipsec modules won't be unloaded on stop.

Should it be part of the network scripts to care about an ip address 
change and removing it from the ipsec device?

What is the recommend procedure that the network scripts have to do when 
the ip address changed?

I think one simple solution were to flush the ip from ipsec after 
clearing the eroutes or replacing the ip instead of adding id in the 
startklips function.


More information about the Swan-dev mailing list