From 11ebba0042bbe64fb6dd3bc9bc657a19abd402cd Mon Sep 17 00:00:00 2001
From: Noel Kuntze <noel@familie-kuntze.de>
Date: Mon, 13 Mar 2017 16:20:39 +0100
Subject: man: Describe the tunneling of several subnets with IKEv1 in more
 detail

---
 man/ipsec.conf.5.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'man')

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 3fa34c5da..5d1c63916 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -913,7 +913,9 @@ the greatest common subnet. In IKEv1, this may lead to problems with other
 implementations, make sure to configure identical subnets in such
 configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
 interprets the first subnet of such a definition, unless the Cisco Unity
-extension plugin is enabled.
+extension plugin is enabled. This is due to a limitation of the IKEv1 protocol,
+which only allows a single pair of subnets per CHILD_SA. So to tunnel several
+subnets a conn entry has to be defined and brought up for each pair of subnets.
 
 The optional part after each subnet enclosed in square brackets specifies a
 protocol/port to restrict the selector for that subnet.
-- 
cgit v1.2.3