<div dir="ltr"><br><br><div class="gmail_quote"><div dir="ltr">On Fri, Jun 1, 2018 at 11:51 AM Noel Kuntze <noel.kuntze+strongswan-users-ml@thermi.consulting> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">><br>
> I'd also check that under no circumstances can the hosts exchange unencrypted traffic. This can happen for example if the tunnel goes down and there's nothing to block unencrypted traffic. "auto=route" is a good idea, as is blocking everything besides ESP with iptables.<br>
If you do that, nothing will work, because decapsulated packets are subject to iptables rules, too.<br></blockquote><div><br></div><div>You're right, I hadn't considered a policy based tunnel. All of the tunnels I administer use dynamic routing and a vti: the rules that block unencrypted traffic apply only to the ethernet interface. (Incidentally the tunnel interface makes packet captures easier.)</div><div><br></div><div>"auto=route" should work regardless.</div></div></div>