[strongSwan] kernel SPD policy not installed until successful IKE negotiation completes

Alexander Lyakas alex.bolshoy at gmail.com
Wed Mar 7 10:38:46 CET 2012

Greetings all,

I am using strongswan 4.5.0 and IKEv1. In ipsec.conf I have "auto=start".

I notice that if the remote node does not have IKE daemon running
(yet), strongswan does not install the security policy appropriate for
the connection. As a result, the remote node can connect insecurely,
if it does not start its IKE daemon at all. After the IKE negotiation
completes and policy is installed, then if remote node terminates its
IKE daemon, it still cannot connect insecurely, because the policy in
the local node is already installed (until the local node reboots).

I am checking the existence of the policy using 'setkey -DP' command.

Is there a way to instruct strongswan to install the security policy
right upon starting?
(I tried installpolicy=yes, but this is relevant only for IKEv2, and
also looking at the code I see that indeed it is used only in charon,
but still not sure that it's used for the purpose I need).


More information about the Users mailing list