Using strongswan, what's the difference between auto=add, and auto=start?
The docs on this are pretty vague,
what operation, if any, should be done automatically at IPsec startup. add loads a connection without starting it. route loads a connection and installs kernel traps. If traffic is detected between leftsubnet and rightsubnet, a connection is established. start loads a connection and brings it up immediately. ignore ignores the connection. This is equal to deleting a connection from the config file. Relevant only locally, other end need not agree on it.
What does it mean to load a connection without starting it vs bringing it up immediately? Can anyone provide a simple example?
The introduction document on the strongSwan wiki has some more information about this. The three options to start connections are as follows:
-
Manually (or by remote peers): Connections with
auto=add
are loaded but nothing happens automatically afterwards. They can then be initiated manually usingipsec up <name>
(provided a single hostname/IP is configured inright
).Such connections also allow remote peers to initiate a connection, given their IP matches whatever is configured in
right
(so you'll often see connections withright=%any
in remote access scenarios, where the clients' IP addresses are generally unknown). Automatically: With
auto=start
a connection is loaded and the IKE daemon will immediately start to connect to the remote host configured inright
. This is basically like manually callingipsec up
for these connections directly after the IKE daemon got started.-
On demand: The IKE daemon will load connections with
auto=route
and install trap policies, based on the traffic selectors configured withleft|rightsubnet
, in the underlying IPsec implementation, for instance, the Linux kernel. When the kernel later encounters traffic that matches these policies it will request the IKE daemon to initiate the connection.Such connections can also be initiated manually using
ipsec up
.Furthermore it is possible to remove the policies installed in the kernel later on using
ipsec unroute
. The connection then has the same status as one that got added withauto=add
. Likewise, connections that were loaded withauto=add
(orauto=start
) can be routed usingipsec route
.
It's worth noting that auto=start
will not re-establish the tunnel if it is shut down. This can cause issues where the tunnel will come up perfectly when you restart your server (or restart ipsec), but then fail some time later - usually due to to an inactivity timer set by the other party. On the other hand, if you set auto=route
, then strongswan will ensure that the tunnel is up everytime it sees interesting traffic.