addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SA

Previously, the client had to propose no wider selectors than the certificate
permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2
we can dynamically narrow the selectors to what the certificate allows. This
makes client and gateway configurations very simple by just proposing 0.0.0.0/0,
narrowed to selectors the client is permitted to route into the network.

0 files changed, 0 insertions, 0 deletions