swanctl: Reformulate IKEv1 selector restriction, describe problems with TS narrowing

1 files changed, 10 insertions, 3 deletions

diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index 142a27170..bdd92177f 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -664,9 +664,16 @@ connections.<conn>.children.<child>.local_ts = dynamic
 	value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
 	as well, none of the kernel backends currently support port ranges, though.
 
-	Unless the Unity extension is used, IKEv1 supports the first specified
-	selector only. IKEv1 uses very similar traffic selector narrowing as it is
-	supported in the IKEv2 protocol.
+	When IKEv1 is used only the first selector is interpreted, except if
+	the Cisco Unity extension plugin is used. This is due to a limitation of the
+	IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
+	So to tunnel traffic matched by several pairs of selectors when using IKEv1
+	several children (CHILD_SAs) have to be defined that cover the selectors.
+
+	The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is
+	standardized and implemented for IKEv2. However, this may lead to problems
+	with other implementations. To avoid that, configure identical selectors in
+	such scenarios.
 
 connections.<conn>.children.<child>.remote_ts = dynamic
 	Remote selectors to include in CHILD_SA.