Is there a way to reload new IPSEC certificates without restarting the service and interrupt existing tunnels?

Question

I'm searching for a way to reload new IPSEC certificates without restarting the service and interrupt existing tunnel connections.

As part of the activity, I'm replacing certificates (including intermediate ca) and keys.

I tried to use ipsec rereadall but seems like it reread only /etc/ipsec.secrets, /etc/ipsec.d/cacerts, ocspcerts, acerts and crls and not /etc/ipsec.d/certs/, so it didn't work.

sysemctl restart IKEV2 is not an option of course, as it breaks running tunnel connections.

Is there any way to do it without a user impact?

Edit: I'm using IKEV2 strongSwan

Answer 1

With the deprecated ipsec.conf/starter/stroke config backend, strongSwan will only read certificates from the ipsec.d/certs directory if they are referenced in conn sections (left|rightcert). This being the case, you'll have to reload the connections to load new end-entity certificates. Since using ipsec reload isn't recommended (it removes all existing configs before loading them again, which causes rekeying to fail later for existing connections), you have to actually rename the new certificates and change ipsec.conf accordingly so ipsec update can pick up the change and only replace affected configs. Note that this still affects active connections for these configs, so if you change a certificate that all your connections use, you can also just use ipsec reload or even ipsec restart as all connections will be affected.

To avoid all that, I'd recommend you switch to the swanctl.conf/vici config backend if you can. It allows you to (re-)load certificates independent of connections via swanctl/x509 directory and swanctl --load-creds command (they can be referenced from the configs via identity). And even if you reference certificates in the config explicitly (e.g. via an absolute path outside of the swanctl directory), reloading those via swanctl --load-conns does work way better as you don't have to rename files so updated certificates are detected and it does not break existing connections.