Hi, I have a policy-based ipsec setting where I only have one end ready and we are waiting for other end to connect to it. So, the VPN tunnel is not actually created yet. When we try to ping an address in remote subnet (presumably), the traffic could leak out to network through its interface. I checked and found this xfrm entry was missing.
# ip xfrm policy src 10.100.0.0/16 dst 10.200.0.0/16 dir out priority 2608 tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport When this entry exists, pkt will be dropped as expected. If I have all config ready and do a "ipsec start", that entry is added and pkt go dropped. If I do a ipsec auto --down/delete/add/up, I suppose we can get same behavior as "ipsec start", i.e. the entry is added. However, the entry will not be added and traffic get routed out. If the remote peer goes up and connect to this terminal, the entry will be added correctly. Do you know any reason why this behavior difference? How can we make sure no traffic gets leaked out while we are waiting for the peer to connect? I do see the following log when the entry is not added. May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483: WARNING: using a weak secret (PSK) May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16" #1: initiating Main Mode May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16": *deleting* non-instance connection May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483: "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16" #1: *deleting* state (STATE_MAIN_I1) May 3 22:29:08 vvr-10-69-244-34 pluto[22363]: vpn-5483483: added connection description "conn_vpn-5483483-tunnel-VPNRemoteRoutedSubnet-tunnel-10.200.0.0/16" The "deleting .." was not there when we do "ipsec start". Not sure if the SPD policy entry was deleted during the time. (in both cases, remote peer is not ready or does not exist) Thanks, Xinwei
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
