diff options
| author | Noel Kuntze <noel@familie-kuntze.de> | 2017-03-13 16:20:39 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-03-23 18:26:54 +0100 |
| commit | 11ebba0042bbe64fb6dd3bc9bc657a19abd402cd (patch) | |
| tree | 400488b0584681f3bbda74965e0bd8c3557a353c /man | |
| parent | c055c7013e0ccd06fe0af998be046a331cfee1d8 (diff) | |
| download | strongswan-11ebba0042bbe64fb6dd3bc9bc657a19abd402cd.tar.bz2 strongswan-11ebba0042bbe64fb6dd3bc9bc657a19abd402cd.tar.xz | |
man: Describe the tunneling of several subnets with IKEv1 in more detail
Diffstat (limited to 'man')
| -rw-r--r-- | man/ipsec.conf.5.in | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 3fa34c5da..5d1c63916 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -913,7 +913,9 @@ the greatest common subnet. In IKEv1, this may lead to problems with other implementations, make sure to configure identical subnets in such configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only interprets the first subnet of such a definition, unless the Cisco Unity -extension plugin is enabled. +extension plugin is enabled. This is due to a limitation of the IKEv1 protocol, +which only allows a single pair of subnets per CHILD_SA. So to tunnel several +subnets a conn entry has to be defined and brought up for each pair of subnets. The optional part after each subnet enclosed in square brackets specifies a protocol/port to restrict the selector for that subnet. |