Hello, I have a test setup with a server and some clients communicating in transport mode, on the same (private) subnet. This works, but when I stop strongswan on the client or shut it down, I would expect unencrypted traffic between server and client to be possible, but it isn't.
I can see that a SA is established when the client starts up (shown in 'ipsec status'), and that this SA is removed when the client terminates. I can also see from 'ip xfrm policy show' that two policies for each direction are installed for this connection: src 172.16.9.189/32 dst 172.16.9.3/32 dir in priority 183616 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 489 mode transport src 172.16.9.3/32 dst 172.16.9.189/32 dir out priority 183616 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 489 mode transport src 172.16.9.189/32 dst 172.16.9.3/32 dir in action block priority 383616 ptype main src 172.16.9.3/32 dst 172.16.9.189/32 dir out action block priority 383616 ptype main The two ESP policies are removed when the connection is terminated, but the two block policies remain. I can manually remove them, then unencrypted traffic works. But they are installed again when I start strongswan on the client and the connection is established. I don't know if this is intended, but it is not wanted here. We need unencrypted traffic during boot until strongswan is loaded and ready. How can I achieve this? OS on both sides is Debian 9, with strongswan 5.5.1. Thank you!
