[Swan] ipsec traffic leak
Paul Wouters
paul at nohats.ca
Fri May 5 03:20:00 UTC 2017
On Thu, 4 May 2017, Xinwei Hong wrote:
> Just realized that I can do a "ipsec auto --route conn_xxx", this can add the entry and pkt would be dropped
> as expected. Please let me know if this is the correct way to deal with it.
Yes, using ipsec auto --route conn_xxx or adding auto=route (which is
the same as auto=ondemand) to the connection accomplishes the same.
However:
> If I have all config ready and do a "ipsec start", that entry is added and pkt go dropped. If I do a
> ipsec auto --down/delete/add/up, I suppose we can get same behavior as "ipsec start", i.e. the entry is
> added. However, the entry will not be added and traffic get routed out. If the remote peer goes up and
> connect to this terminal, the entry will be added correctly. Do you know any reason why this behavior
> difference? How can we make sure no traffic gets leaked out while we are waiting for the peer to
> connect?
Note some older versions when receiving a --down request from the other
side, would not put the tunnel back into the start mode. I believe this
was addressed in 3.19 or 3.20.
Paul
More information about the Swan
mailing list