whether setup should turn IP forwarding on (if it's not already on) as IPsec is started, and turn it off again (if it was off) as IPsec is stopped; acceptable values are yes and (the default) no. For this to have full effect, forwarding must be disabled before the hardware interfaces are brought up (e.g., net.ipv4.ip_forward = 0 in Red Hat 6.x /etc/sysctl.conf), because IPsec doesn't get control early enough to do that.
