On traffic: If start_action=trap/auto=route is used, IPsec trap policies for the configured traffic (local|remote_ts/left|rightsubnet)
will be installed and traffic matching these policies will trigger acquire events that cause the daemon to establish the required IKE/IPsec SAs.
This is also used for passthrough/drop IPsec policies, to let specific traffic bypass other policies/SAs, or drop it completely.


On startup: CHILD_SAs configured with start_action=start (or auto=start) will automatically be established when the daemon is started.
They are not automatically restarted when they go down for some reason. 
You need to specify other configuration settings
(dpd_action/dpdaction and/or close_action/closeaction) to restart them automatically, but even then, the setup is not bullet-proof
and will potentially leak packets. You are encouraged to use trap policies and read the SecurityRecommendations to take care of any problems.


Manually: A connection that uses no start_action (or auto=add in ipsec.conf) has to be established manually with swanctl --initiate (or ipsec up) or by a peer/roadwarrior.
Depending on the configuration, it is also possible to use swanctl --install (or ipsec route) to install policies manually for such connections, like start_action=trap/auto=route would do it on startup.