Using strongswan, what's the difference between auto=add, and auto=start?

networking ipsec strongswan

The docs on this are pretty vague,

what operation, if any, should be done automatically at IPsec startup. add loads a connection without starting it. route loads a connection and installs kernel traps. If traffic is detected between leftsubnet and rightsubnet, a connection is established. start loads a connection and brings it up immediately. ignore ignores the connection. This is equal to deleting a connection from the config file. Relevant only locally, other end need not agree on it.

What does it mean to load a connection without starting it vs bringing it up immediately? Can anyone provide a simple example?


The introduction document on the strongSwan wiki has some more information about this. The three options to start connections are as follows:

  • Manually (or by remote peers): Connections with auto=add are loaded but nothing happens automatically afterwards. They can then be initiated manually using ipsec up <name> (provided a single hostname/IP is configured in right).

    Such connections also allow remote peers to initiate a connection, given their IP matches whatever is configured in right (so you'll often see connections with right=%any in remote access scenarios, where the clients' IP addresses are generally unknown).

  • Automatically: With auto=start a connection is loaded and the IKE daemon will immediately start to connect to the remote host configured in right. This is basically like manually calling ipsec up for these connections directly after the IKE daemon got started.

  • On demand: The IKE daemon will load connections with auto=route and install trap policies, based on the traffic selectors configured with left|rightsubnet, in the underlying IPsec implementation, for instance, the Linux kernel. When the kernel later encounters traffic that matches these policies it will request the IKE daemon to initiate the connection.

    Such connections can also be initiated manually using ipsec up.

    Furthermore it is possible to remove the policies installed in the kernel later on using ipsec unroute. The connection then has the same status as one that got added with auto=add. Likewise, connections that were loaded with auto=add (or auto=start) can be routed using ipsec route.


It's worth noting that auto=start will not re-establish the tunnel if it is shut down. This can cause issues where the tunnel will come up perfectly when you restart your server (or restart ipsec), but then fail some time later - usually due to to an inactivity timer set by the other party. On the other hand, if you set auto=route, then strongswan will ensure that the tunnel is up everytime it sees interesting traffic.

Related

SMTP sent E-mail not copied to Sent Folder [closed]
Setting a static route for a specific network adapter with two network adapters
SW SSD Raid 1 over HW RAID 10
do-release-upgrade -d Ubuntu 13.10 -> 14.04 failing
How to delete all ufw rules for a certain port?
When do browsers request and use IPv6 DNS records?
smartctl & megaraid: how to find the right device node for an adapter #
NGINX proxy_pass with URI modification
Empty page after installing Angular Playground into an Ionic 4 project
How to unittest with command line arguments
Database Permission denied after running docker-compose up
sqlite3 works well in centos7 and python shell,but can't work in Uwsgi