[strongSwan] policy groups

Martin Willi martin at strongswan.org
Thu May 16 09:16:19 CEST 2013

Hi Michi,

> Does strongswan support policy groups?

No, strongSwan currently does not know such a configuration concept.

> how can I configure strongswan so that it never sends traffic in clear
> text?

Usually you can achieve this with a "routed" policy, i.e. one with the
auto=route keyword to a rightsubnet= This will make sure no
traffic leaves unencrypted. If no connection exists for the associated
traffic, the kernel will trigger it.

Of course there are other mechanisms to prevent that plain traffic
leaves your box. You could, for example, manually install a drop policy
to with a lower priority, or even use Netfilter to drop any
packet that is not encrypted (or is IKE).


More information about the Users mailing list