Connections and CHILD_SAs can be started on three different occasions:
There are cases where peer does not want to perform any action and would like the other end to initiate the connection.
On traffic: If start_action=trap/auto=route is used, IPsec trap policies for the configured traffic (local|remote_ts/left|rightsubnet) will be installed and traffic matching these policies will trigger acquire events that cause the daemon to establish the required IKE/IPsec SAs. This is also used for passthrough/drop IPsec policies, to let specific traffic bypass other policies/SAs, or drop it completely. On startup: CHILD_SAs configured with start_action=start (or auto=start) will automatically be established when the daemon is started. They are not automatically restarted when they go down for some reason. You need to specify other configuration settings (dpd_action/dpdaction and/or close_action/closeaction) to restart them automatically, but even then, the setup is not bullet-proof and will potentially leak packets. You are encouraged to use trap policies and read the SecurityRecommendations to take care of any problems. Manually: A connection that uses no start_action (or auto=add in ipsec.conf) has to be established manually with swanctl --initiate (or ipsec up) or by a peer/roadwarrior. Depending on the configuration, it is also possible to use swanctl --install (or ipsec route) to install policies manually for such connections, like start_action=trap/auto=route would do it on startup.