Hi Vladimir, I recommend not to depend on IPsec policies if you want to enforce that no unencrypted traffic leaves the gateway and that no unprotected traffic is accepted.
Use the policy match provided by iptables. Here's an example: iptables -A FORWARD -m policy --dir out --pol ipsec -j ACCEPT iptables -A FORWARD -m policy --dir in --pol ipsec -j ACCEPT # Do not forward packets to or from xyz if ipsec is off iptables -A FORWARD -d 1.2.3.4/26 -j REJECT --reject-with icmp-net-unreachable iptables -A FORWARD -s 1.2.3.4/26 -j REJECT --reject-with icmp-net-unreachable -Daniel > Martin, thank you for clarification. > I think it will be good if this 'auto=start' feature will be documented in > ipsec.conf(5) man page. > Because a strongswan-newbie sysadmin may use this option without knowing that > unencrypted packets are not filtered if the tunnel is not up yet. This may be > a serious vulnerability of a system. > > Thank you! > Best regards, Vladimir > > >> Yes, this is the intended behavior. auto=start does not install policies >> until the tunnel has been negotiated. auto=route installs the policies >> and triggers a tunnel when required. > > > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users