[strongSwan] Leftover "block" policy after IPSec connection is terminated
Andreas Heinlein
aheinlein at gmx.com
Tue Aug 18 09:53:18 CEST 2020
Hello,
I have a test setup with a server and some clients communicating in transport mode, on the same (private) subnet. This works, but when I stop strongswan on the client or shut it down, I would expect unencrypted traffic between server and client to be possible, but it isn't.
I can see that a SA is established when the client starts up (shown in 'ipsec status'), and that this SA is removed when the client terminates. I can also see from 'ip xfrm policy show' that two policies for each direction are installed for this connection:
src 172.16.9.189/32 dst 172.16.9.3/32
dir in priority 183616 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 489 mode transport
src 172.16.9.3/32 dst 172.16.9.189/32
dir out priority 183616 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 489 mode transport
src 172.16.9.189/32 dst 172.16.9.3/32
dir in action block priority 383616 ptype main
src 172.16.9.3/32 dst 172.16.9.189/32
dir out action block priority 383616 ptype main
The two ESP policies are removed when the connection is terminated, but the two block policies remain. I can manually remove them, then unencrypted traffic works. But they are installed again when I start strongswan on the client and the connection is established.
I don't know if this is intended, but it is not wanted here. We need unencrypted traffic during boot until strongswan is loaded and ready. How can I achieve this?
OS on both sides is Debian 9, with strongswan 5.5.1.
Thank you!
More information about the Users
mailing list