[strongSwan] had to manually up a connection

Victor Sudakov vas at sibptus.ru
Mon Mar 9 15:59:53 CET 2020

Victor Sudakov wrote:
> Tobias Brunner wrote:
> > 
> > > I see that the first packet in matching
> > > traffic is always lost: in a ping session, packet with seq=1 never makes
> > > it to the other side, only from seq=2 onwards.
> > > 
> > > Why does this happen?
> > 
> > It's a known property of the Linux kernel.  Packets, in particular the
> > triggering one, are not cached and lost until the IPsec SAs are established.
> > 
> > > and is there a way to avoid it?
> > 
> > Not that I'm aware.
> Maybe using "auto=start" would be better in this scenario? When the
> host wants to send an SNMP trap, the IPSec connection will have already
> been established. No need for triggering.

I'm almost ready to take my words back. 

I've experimented in my lab and it turned out that if you configure your
Strongswan connections for anything other than "auto=route", you risk
for some packets to be sent unencrypted until the SA is established. 

If you value the data in your SNMP datagrams (e.g. the community
string), you may expose it.

Proof:  http://admin.sibptus.ru/~vas/1.txt

traffic is sent unencrypted until 21:28:40.577854 when
Strongswan at is finally up.

At 21:28:58.538009 the host is shut down and traffic from is again being sent unencrypted.

Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200309/0a1108cc/attachment.sig>

More information about the Users mailing list