diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2017-02-20 11:36:30 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-02-27 18:23:56 +0100 |
| commit | da82786b2d8cef68ca6462bf7898a6b19c0b4608 (patch) | |
| tree | 56f19b0c217c2847870ed2a231c21ae09eab6fc0 /src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c | |
| parent | 2e52bbb4b220ce604f84124ba6cf9d8656e81b1b (diff) | |
| download | strongswan-da82786b2d8cef68ca6462bf7898a6b19c0b4608.tar.bz2 strongswan-da82786b2d8cef68ca6462bf7898a6b19c0b4608.tar.xz | |
child-cfg: Always apply hosts to traffic selectors if proposing transport mode
Usually, %dynamic is used as traffic selector for transport mode SAs,
however, if wildcard traps are used then the remote TS will be a subnet.
With strongSwan at the remote end that usually works fine as the local
%dynamic TS narrows the proposed TS appropriately. But some
implementations reject non-host TS for transport mode SAs.
Another problem could be if several distinct subnets are configured for a
wildcard trap, as we'd then propose unrelated subnets on that transport
mode SA, which might be problematic even for strongSwan (switch to tunnel
mode and duplicate policies).
Closes strongswan/strongswan#61.
Diffstat (limited to 'src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c')
0 files changed, 0 insertions, 0 deletions