diff --git a/pkg/api/acl.go b/pkg/api/acl.go
index 3cf4281..5f06b7d 100755
--- a/pkg/api/acl.go
+++ b/pkg/api/acl.go
@@ -22,7 +22,7 @@ func (h ACL) List(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -41,7 +41,7 @@ func (h ACL) Add(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -66,7 +66,7 @@ func (h ACL) Del(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -91,7 +91,7 @@ func (h ACL) Save(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
diff --git a/pkg/api/api.go b/pkg/api/api.go
index 4a33edf..57aaf0c 100755
--- a/pkg/api/api.go
+++ b/pkg/api/api.go
@@ -95,18 +95,39 @@ type Networker interface {
 	VPNer
 }
 
-var workers = make(map[string]Networker)
+type IPSecer interface {
+	AddTunnel(data schema.IPSecTunnel)
+	DelTunnel(data schema.IPSecTunnel)
+	ListTunnels(call func(obj schema.IPSecTunnel))
+}
+
+type APICall struct {
+	workers map[string]Networker
+	secer   IPSecer
+}
 
-func AddWorker(name string, obj Networker) {
-	workers[name] = obj
+func (i *APICall) AddWorker(name string, obj Networker) {
+	i.workers[name] = obj
 }
 
-func GetWorker(name string) Networker {
-	return workers[name]
+func (i *APICall) GetWorker(name string) Networker {
+	return i.workers[name]
 }
 
-func ListWorker(call func(w Networker)) {
-	for _, worker := range workers {
+func (i *APICall) ListWorker(call func(w Networker)) {
+	for _, worker := range i.workers {
 		call(worker)
 	}
 }
+
+func (i *APICall) SetIPSecer(value IPSecer) {
+	i.secer = value
+}
+
+func (i *APICall) GetIPSecer() IPSecer {
+	return i.secer
+}
+
+var Call = &APICall{
+	workers: make(map[string]Networker),
+}
diff --git a/pkg/api/network.go b/pkg/api/network.go
index 0291ea8..6b4b4c5 100755
--- a/pkg/api/network.go
+++ b/pkg/api/network.go
@@ -76,7 +76,7 @@ func (h Network) Post(w http.ResponseWriter, r *http.Request) {
 func (h Network) Delete(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	network := vars["id"]
-	worker := GetWorker(network)
+	worker := Call.GetWorker(network)
 	if worker == nil {
 		http.Error(w, "network not found", http.StatusBadRequest)
 		return
@@ -110,7 +110,7 @@ func (h Network) RestartVPN(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
diff --git a/pkg/api/output.go b/pkg/api/output.go
index 2857609..7c54d8e 100755
--- a/pkg/api/output.go
+++ b/pkg/api/output.go
@@ -50,7 +50,7 @@ func (h Output) Post(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "network is nil", http.StatusBadRequest)
 		return
 	}
-	worker := GetWorker(name)
+	worker := Call.GetWorker(name)
 	if worker == nil {
 		http.Error(w, "network not found", http.StatusBadRequest)
 		return
@@ -73,7 +73,7 @@ func (h Output) Delete(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "network is nil", http.StatusBadRequest)
 		return
 	}
-	worker := GetWorker(name)
+	worker := Call.GetWorker(name)
 	if worker == nil {
 		http.Error(w, "network not found", http.StatusBadRequest)
 		return
@@ -86,7 +86,7 @@ func (h Output) Save(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusBadRequest)
 		return
diff --git a/pkg/api/qos.go b/pkg/api/qos.go
index cfeefb0..a5b6571 100644
--- a/pkg/api/qos.go
+++ b/pkg/api/qos.go
@@ -1,9 +1,10 @@
 package api
 
 import (
+	"net/http"
+
 	"github.com/gorilla/mux"
 	"github.com/luscis/openlan/pkg/schema"
-	"net/http"
 )
 
 type QosApi struct {
@@ -22,7 +23,7 @@ func (h QosApi) List(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -47,7 +48,7 @@ func (h QosApi) Add(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -75,7 +76,7 @@ func (h QosApi) Del(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -96,7 +97,7 @@ func (h QosApi) Save(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
diff --git a/pkg/api/route.go b/pkg/api/route.go
index e163b80..34fedbe 100644
--- a/pkg/api/route.go
+++ b/pkg/api/route.go
@@ -1,11 +1,12 @@
 package api
 
 import (
+	"net/http"
+
 	"github.com/gorilla/mux"
 	"github.com/luscis/openlan/pkg/cache"
 	"github.com/luscis/openlan/pkg/models"
 	"github.com/luscis/openlan/pkg/schema"
-	"net/http"
 )
 
 type Route struct {
@@ -38,7 +39,7 @@ func (rt Route) Add(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -63,7 +64,7 @@ func (rt Route) Del(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -88,7 +89,7 @@ func (rt Route) Save(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
diff --git a/pkg/api/ztrust.go b/pkg/api/ztrust.go
index b06c71b..a90e912 100755
--- a/pkg/api/ztrust.go
+++ b/pkg/api/ztrust.go
@@ -46,7 +46,7 @@ func (h ZTrust) ListGuest(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -77,7 +77,7 @@ func (h ZTrust) AddGuest(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -127,7 +127,7 @@ func (h ZTrust) DelGuest(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -165,7 +165,7 @@ func (h ZTrust) ListKnock(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
@@ -195,7 +195,7 @@ func (h ZTrust) AddKnock(w http.ResponseWriter, r *http.Request) {
 	vars := mux.Vars(r)
 	id := vars["id"]
 
-	worker := GetWorker(id)
+	worker := Call.GetWorker(id)
 	if worker == nil {
 		http.Error(w, "Network not found", http.StatusInternalServerError)
 		return
diff --git a/pkg/config/ipsec.go b/pkg/config/ipsec.go
index ca6fe67..23eb887 100644
--- a/pkg/config/ipsec.go
+++ b/pkg/config/ipsec.go
@@ -35,3 +35,11 @@ func (s *IPSecSpecifies) Correct() {
 		t.Correct()
 	}
 }
+
+func (s *IPSecSpecifies) AddTunnel(data *IPSecTunnel) {
+
+}
+
+func (s *IPSecSpecifies) DelTunnel(data *IPSecTunnel) {
+
+}
diff --git a/pkg/libol/promise.go b/pkg/libol/promise.go
index fd2f5de..4f01347 100755
--- a/pkg/libol/promise.go
+++ b/pkg/libol/promise.go
@@ -11,6 +11,15 @@ type Promise struct {
 }
 
 func NewPromise() *Promise {
+	return &Promise{
+		First:  time.Second * 2,
+		MaxInt: time.Minute,
+		MinInt: time.Second * 10,
+		MaxTry: 10,
+	}
+}
+
+func NewPromiseAlways() *Promise {
 	return &Promise{
 		First:  time.Second * 2,
 		MaxInt: time.Minute,
diff --git a/pkg/schema/ipsec.go b/pkg/schema/ipsec.go
new file mode 100644
index 0000000..fefb9ec
--- /dev/null
+++ b/pkg/schema/ipsec.go
@@ -0,0 +1,12 @@
+package schema
+
+type IPSecTunnel struct {
+	Left      string `json:"local"`
+	LeftId    string `json:"localid"`
+	LeftPort  string `json:"localport"`
+	Right     string `json:"remote"`
+	RightId   string `json:"remoteid"`
+	RightPort string `json:"remoteport"`
+	Transport string `json:"transport"`
+	Secret    string `json:"secret"`
+}
diff --git a/pkg/switch/ipsec.go b/pkg/switch/ipsec.go
index 09464f2..0db4309 100644
--- a/pkg/switch/ipsec.go
+++ b/pkg/switch/ipsec.go
@@ -8,6 +8,7 @@ import (
 	"github.com/luscis/openlan/pkg/api"
 	co "github.com/luscis/openlan/pkg/config"
 	"github.com/luscis/openlan/pkg/libol"
+	"github.com/luscis/openlan/pkg/schema"
 )
 
 type IPSecWorker struct {
@@ -112,7 +113,7 @@ func (w *IPSecWorker) startConn(name string) {
 	})
 }
 
-func (w *IPSecWorker) AddTunnel(tunnel *co.IPSecTunnel) error {
+func (w *IPSecWorker) addTunnel(tunnel *co.IPSecTunnel) error {
 	connTmpl := ""
 	secTmpl := ""
 
@@ -152,11 +153,11 @@ func (w *IPSecWorker) Start(v api.Switcher) {
 	w.uuid = v.UUID()
 	w.out.Info("IPSecWorker.Start")
 	for _, tunnel := range w.spec.Tunnels {
-		w.AddTunnel(tunnel)
+		w.addTunnel(tunnel)
 	}
 }
 
-func (w *IPSecWorker) RemoveTunnel(tunnel *co.IPSecTunnel) error {
+func (w *IPSecWorker) removeTunnel(tunnel *co.IPSecTunnel) error {
 	name := tunnel.Name
 	if tunnel.Transport == "vxlan" {
 		libol.Exec("ipsec", "auto", "--delete", "--asynchronous", name+"-c1")
@@ -184,7 +185,7 @@ func (w *IPSecWorker) RemoveTunnel(tunnel *co.IPSecTunnel) error {
 func (w *IPSecWorker) Stop() {
 	w.out.Info("IPSecWorker.Stop")
 	for _, tunnel := range w.spec.Tunnels {
-		w.RemoveTunnel(tunnel)
+		w.removeTunnel(tunnel)
 	}
 }
 
@@ -193,3 +194,29 @@ func (w *IPSecWorker) Reload(v api.Switcher) {
 	w.Initialize()
 	w.Start(v)
 }
+
+func (w *IPSecWorker) AddTunnel(data schema.IPSecTunnel) {
+	cfg := &co.IPSecTunnel{
+		Left:      data.Left,
+		Right:     data.Right,
+		Secret:    data.Secret,
+		Transport: data.Transport,
+	}
+	w.spec.AddTunnel(cfg)
+	w.addTunnel(cfg)
+}
+
+func (w *IPSecWorker) DelTunnel(data schema.IPSecTunnel) {
+	cfg := &co.IPSecTunnel{
+		Left:      data.Left,
+		Right:     data.Right,
+		Secret:    data.Secret,
+		Transport: data.Transport,
+	}
+	w.removeTunnel(cfg)
+	w.spec.DelTunnel(cfg)
+}
+
+func (w *IPSecWorker) ListTunnels(call func(obj schema.IPSecTunnel)) {
+
+}
diff --git a/pkg/switch/network.go b/pkg/switch/network.go
index 5f45f5b..1a120f7 100755
--- a/pkg/switch/network.go
+++ b/pkg/switch/network.go
@@ -20,13 +20,15 @@ func NewNetworker(c *co.Network) api.Networker {
 	var obj api.Networker
 	switch c.Provider {
 	case "ipsec":
-		obj = NewIPSecWorker(c)
+		secer := NewIPSecWorker(c)
+		api.Call.SetIPSecer(secer)
+		obj = secer
 	case "router":
 		obj = NewRouterWorker(c)
 	default:
 		obj = NewOpenLANWorker(c)
 	}
-	api.AddWorker(c.Name, obj)
+	api.Call.AddWorker(c.Name, obj)
 	return obj
 }