On Thu, 4 May 2017, Xinwei Hong wrote:
Just realized that I can do a "ipsec auto --route conn_xxx", this can add the entry and pkt would be dropped as expected. Please let me know if this is the correct way to deal with it.
Yes, using ipsec auto --route conn_xxx or adding auto=route (which is the same as auto=ondemand) to the connection accomplishes the same. However:
If I have all config ready and do a "ipsec start", that entry is added and pkt go dropped. If I do a ipsec auto --down/delete/add/up, I suppose we can get same behavior as "ipsec start", i.e. the entry is added. However, the entry will not be added and traffic get routed out. If the remote peer goes up and connect to this terminal, the entry will be added correctly. Do you know any reason why this behavior difference? How can we make sure no traffic gets leaked out while we are waiting for the peer to connect?
Note some older versions when receiving a --down request from the other side, would not put the tunnel back into the start mode. I believe this was addressed in 3.19 or 3.20. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
