Using strongswan, what's the difference between auto=add, and auto=start?

The docs on this are pretty vague,

what operation, if any, should be done automatically at IPsec startup. add loads a connection without starting it. route loads a connection and installs kernel traps. If traffic is detected between leftsubnet and rightsubnet, a connection is established. start loads a connection and brings it up immediately. ignore ignores the connection. This is equal to deleting a connection from the config file. Relevant only locally, other end need not agree on it.

What does it mean to load a connection without starting it vs bringing it up immediately? Can anyone provide a simple example?


The introduction document on the strongSwan wiki has some more information about this. The three options to start connections are as follows:

  • Manually (or by remote peers): Connections with auto=add are loaded but nothing happens automatically afterwards. They can then be initiated manually using ipsec up <name> (provided a single hostname/IP is configured in right).

    Such connections also allow remote peers to initiate a connection, given their IP matches whatever is configured in right (so you'll often see connections with right=%any in remote access scenarios, where the clients' IP addresses are generally unknown).

  • Automatically: With auto=start a connection is loaded and the IKE daemon will immediately start to connect to the remote host configured in right. This is basically like manually calling ipsec up for these connections directly after the IKE daemon got started.

  • On demand: The IKE daemon will load connections with auto=route and install trap policies, based on the traffic selectors configured with left|rightsubnet, in the underlying IPsec implementation, for instance, the Linux kernel. When the kernel later encounters traffic that matches these policies it will request the IKE daemon to initiate the connection.

    Such connections can also be initiated manually using ipsec up.

    Furthermore it is possible to remove the policies installed in the kernel later on using ipsec unroute. The connection then has the same status as one that got added with auto=add. Likewise, connections that were loaded with auto=add (or auto=start) can be routed using ipsec route.


It's worth noting that auto=start will not re-establish the tunnel if it is shut down. This can cause issues where the tunnel will come up perfectly when you restart your server (or restart ipsec), but then fail some time later - usually due to to an inactivity timer set by the other party. On the other hand, if you set auto=route, then strongswan will ensure that the tunnel is up everytime it sees interesting traffic.