diff options
author | Tobias Brunner <tobias@strongswan.org> | 2013-08-13 17:10:00 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2013-10-11 15:32:44 +0200 |
commit | eeb34af06936a7de2c66fd2149d9fb55a7ddb6b1 (patch) | |
tree | 2a3b4f94dfe701cee0b08a03b0b61564dc729701 /man | |
parent | 80f8b3a6d86bb15b2dca73ad50371a54cb3e5cad (diff) | |
download | strongswan-eeb34af06936a7de2c66fd2149d9fb55a7ddb6b1.tar.bz2 strongswan-eeb34af06936a7de2c66fd2149d9fb55a7ddb6b1.tar.xz |
kernel-libipsec: Add an option to allow remote TS to match the IKE peer
Setting the fwmark options for the kernel-netlink and socket-default
plugins allow this kind of setup.
It is probably required to set net.ipv4.conf.all.rp_filter to 2 to make
it work.
Diffstat (limited to 'man')
-rw-r--r-- | man/strongswan.conf.5.in | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 783f16c2c..e8dbe63f8 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -623,6 +623,13 @@ Number of ipsecN devices .BR charon.plugins.kernel-klips.ipsec_dev_mtu " [0]" Set MTU of ipsecN device .TP +.BR charon.plugins.kernel-libipsec.allow_peer_ts " [no]" +Allow that the remote traffic selector equals the IKE peer. The route installed +for such traffic (via TUN device) usually prevents further IKE traffic. The +fwmark options for the \fIkernel-netlink\fR and \fIsocket-default\fR plugins can +be used to circumvent that problem. +to +.TP .BR charon.plugins.kernel-netlink.fwmark Firewall mark to set on the routing rule that directs traffic to our own routing table. The format is [!]mark[/mask], where the optional exclamation mark inverts |