ike-vendor: Add option to send Cisco FLexVPN vendor ID

A new global option enables sending this vendor ID to prevent Cisco
devices from narrowing the initiator's local traffic selector to the
requested virtual IP, so e.g. 0.0.0.0/0 can be used instead.

This has been tested with a "tunnel mode ipsec ipv4" Cisco template but
should also work for GRE encapsulation.

Closes strongswan/strongswan#180.
This commit is contained in:
Noel Kuntze 2020-07-24 22:25:40 +02:00 committed by Tobias Brunner
parent dc0c20600f
commit d1d5659ead
2 changed files with 13 additions and 1 deletions

View File

@ -51,6 +51,18 @@ charon.check_current_path = no
connectivity. It will also trigger a MOBIKE update if NAT mappings were
removed during the downtime.
charon.cisco_flexvpn = no
Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
Send the Cisco FlexVPN vendor ID payload, which is required in order to make
Cisco brand devices allow negotiating a local traffic selector (from
strongSwan's point of view) that is not the assigned virtual IP address if
such an address is requested by strongSwan. Sending the Cisco FlexVPN
vendor ID prevents the peer from narrowing the initiator's local traffic
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
template but should also work for GRE encapsulation.
charon.cisco_unity = no
Send Cisco Unity vendor ID payload (IKEv1 only).

View File

@ -97,7 +97,7 @@ static vid_data_t vids[] = {
"\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
{ "Cisco Delete Reason", 0, NULL, 0,
"CISCO-DELETE-REASON" },
{ "Cisco FlexVPN Supported", 0, NULL, 0,
{ "Cisco FlexVPN Supported", 0, "cisco_flexvpn", 0,
"FLEXVPN-SUPPORTED" },
{ "Cisco Copyright (c) 2009", 0, NULL, 0,
"CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },