ike-vendor: Add option to send Cisco FLexVPN vendor ID
A new global option enables sending this vendor ID to prevent Cisco devices from narrowing the initiator's local traffic selector to the requested virtual IP, so e.g. 0.0.0.0/0 can be used instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation. Closes strongswan/strongswan#180.
This commit is contained in:
parent
dc0c20600f
commit
d1d5659ead
|
@ -51,6 +51,18 @@ charon.check_current_path = no
|
||||||
connectivity. It will also trigger a MOBIKE update if NAT mappings were
|
connectivity. It will also trigger a MOBIKE update if NAT mappings were
|
||||||
removed during the downtime.
|
removed during the downtime.
|
||||||
|
|
||||||
|
charon.cisco_flexvpn = no
|
||||||
|
Send the Cisco FlexVPN vendor ID payload (IKEv2 only).
|
||||||
|
|
||||||
|
Send the Cisco FlexVPN vendor ID payload, which is required in order to make
|
||||||
|
Cisco brand devices allow negotiating a local traffic selector (from
|
||||||
|
strongSwan's point of view) that is not the assigned virtual IP address if
|
||||||
|
such an address is requested by strongSwan. Sending the Cisco FlexVPN
|
||||||
|
vendor ID prevents the peer from narrowing the initiator's local traffic
|
||||||
|
selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0
|
||||||
|
instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco
|
||||||
|
template but should also work for GRE encapsulation.
|
||||||
|
|
||||||
charon.cisco_unity = no
|
charon.cisco_unity = no
|
||||||
Send Cisco Unity vendor ID payload (IKEv1 only).
|
Send Cisco Unity vendor ID payload (IKEv1 only).
|
||||||
|
|
||||||
|
|
|
@ -97,7 +97,7 @@ static vid_data_t vids[] = {
|
||||||
"\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
|
"\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"},
|
||||||
{ "Cisco Delete Reason", 0, NULL, 0,
|
{ "Cisco Delete Reason", 0, NULL, 0,
|
||||||
"CISCO-DELETE-REASON" },
|
"CISCO-DELETE-REASON" },
|
||||||
{ "Cisco FlexVPN Supported", 0, NULL, 0,
|
{ "Cisco FlexVPN Supported", 0, "cisco_flexvpn", 0,
|
||||||
"FLEXVPN-SUPPORTED" },
|
"FLEXVPN-SUPPORTED" },
|
||||||
{ "Cisco Copyright (c) 2009", 0, NULL, 0,
|
{ "Cisco Copyright (c) 2009", 0, NULL, 0,
|
||||||
"CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
|
"CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." },
|
||||||
|
|
Loading…
Reference in New Issue