> Sorry to cut in a bit. I have been watching this with interest. I am only
> a user of ipsec vpn. Is there really a technical possibility that traffic
> is somehow passing through the tunnel without being encrypted? Is there
> not some default drop/fail design if there is no encryption?
I am in no way an expert on this, but I don't think there is. You
configure some libreswan policies - either directly (when you use
opportunistic encryption and therefore group policies), or indirectly
(through the combination of left*/right* and *protoport). Libreswan then
converts this into the kernel xfrm policies, which are the real
decision-making point. If the xfrm policies trigger, the remaining part is
done by the kernel (based on the xfrm policies installed by libreswan). But
there is no default policy like in *tables.
I will be happy when errors in the above are corrected by the wise men here.
Best regards,
Phil
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
