[strongSwan] Possibly a bug in charon when auto=start

[Владимир Подобаев]

Hello!

I've discovered a strange behaviour of charon.
I'm building a tunnel on esp 3des and IKEv2. 
When I set "auto=start" option in conn section and my peer is up but without running charon -
I'm still able to ping my peer and the peer can ping me also. 
This means that we can access each other directly without IPsec while charon is setting up the tunnel.
And when I set "auto=route" - charon works ok and filters unsecured packets back and forth.

Is it a security issue with "auto=start"? Or is it a legal behaviour of charon? Maybe I need to set some more options?
 
My version of strongswan is 4.3.6.
uname -a:
Linux podobaev 2.6.31-19-generic #56-Ubuntu SMP Thu Jan 28 02:39:34 UTC 2010 x86_64 GNU/Linux

strongswan.conf:
charon {
      threads = 16
      load = aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
}
 
 
ipsec.conf:
    config setup
         charonstart=yes
         plutostart=no
         cachecrls=yes
 
 conn vova-peter
         left=192.168.16.95
         leftcert=vovaCert.pem
         leftauth=pubkey
         right=192.168.16.114
         rightid="C=RU, ST=Russia, O=Firma, OU=peterCA, CN=Peter"
         rightca="C=RU, ST=Russia, L=Moscow, O=Firma, OU=peterCA, CN=peterCA"
         rightauth=pubkey
         type=tunnel
         lifetime=60
         auth=esp
         authby=pubkey
         auto=start     # !!!!!!!!!!!! when auto=route - ok
         inactivity=60
         esp=3des-sha1
         ike=3des-sha1-modp1024
         keyexchange=ikev2
           
 Thank you in advance!
 
 Best regards, 
 Vladimir