[strongSwan] issue with firewall rules

[James]

Hello,

Hoping someone can point me in the right direction.

Running strongSwan 5.1.3 on Ubuntu 14.10. It appears that while my
tunnels will consistently come up via service strongswan restart, the
iptable rules are sporadically _not_ added to the hosts.

As an example, I've automate the configuration and deployment of
strongSwan to 5 hosts which will each build tunnels between each
other. This consistently works.

However, traffic between the nodes is not always encrypted. After
running tcpdump on various nodes it appears that the updown script is
not run _all_ of the time. On the latest run of this automation
process, 3 nodes had iptable rules that encrypt traffic to all other
nodes, while 1 had half of the rules needed and one node didn't any
rules at all. If I restart the services enough times this issue will
eventually alleviate itself.

Two questions:

(a) while I've read that the default updown script does have
scalability limitations, I wouldn't imagine I'd be hitting them with
as few as 5 hosts. Any ideas / thoughts on how to fix this so that
leftfirewall=yes functions as designed?

(b) is there some way for me to drop traffic between nodes if it's not
encrypted? I've done some Googling on this subject matter and I was
unable to find a cut-and-dry method by which I can drop traffic if it
does not go through the following rule:

-A INPUT -s 10.1.1.174/32 -d 10.1.1.172/32 -i eth0 -p ipencap -m
policy --dir in --pol ipsec --reqid 3 --proto esp -j ACCEPT

Thoughts / ideas would be very greatly appreciated!