[strongSwan] Possibly a bug in charon when auto=start

Владимир Подобаев vpodobaev at mail.ru
Wed Mar 3 13:49:56 CET 2010

Martin, thank you for clarification.
I think it will be good if this 'auto=start' feature will be documented in ipsec.conf(5) man page.
Because a strongswan-newbie sysadmin may use this option without knowing that unencrypted packets are not filtered if the tunnel is not up yet. This may be a serious vulnerability of a system.

Thank you!
Best regards, Vladimir

> Yes, this is the intended behavior. auto=start does not install policies
> until the tunnel has been negotiated. auto=route installs the policies
> and triggers a tunnel when required.

More information about the Users mailing list