Page MenuHomeVyOS Platform
Create Task
Maniphest T4254

VPN IPSec charon add options cisco_flexvpn and install_virtual_ip_on
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

Charon add option charon.cisco_flexvpn and charon.install_virtual_ip_on

Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead.

charon.install_virtual_ip_on
The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface.

swanctl connections.<conn>.vips
Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.

https://wiki.strongswan.org/projects/strongswan/wiki/strongswanconf
https://wiki.strongswan.org/projects/strongswan/wiki/Swanctlconf
https://wiki.strongswan.org/projects/strongswan/wiki/virtualip

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)