> > > Sorry to cut in a bit. I have been watching this with interest. I am > only > > a user of ipsec vpn. Is there really a technical possibility that > traffic > > is somehow passing through the tunnel without being encrypted? Is there > > not some default drop/fail design if there is no encryption? > > I am in no way an expert on this, but I don't think there is. You > configure some libreswan policies - either directly (when you use > opportunistic encryption and therefore group policies), or indirectly > (through the combination of left*/right* and *protoport). Libreswan then > converts this into the kernel xfrm policies, which are the real > decision-making point. If the xfrm policies trigger, the remaining part > is > done by the kernel (based on the xfrm policies installed by libreswan). > But > there is no default policy like in *tables. > > I will be happy when errors in the above are corrected by the wise men > here. >
thanks for explaining. :) _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
