[strongSwan] Site-Site VPN issues with Cisco Devices

Martin Willi martin at strongswan.org
Thu Aug 7 13:33:12 CEST 2014


Hi,

> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for other:
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  10.2.0.0/24
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] changing proposed traffic selectors for other:
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  0.0.0.0/0

The unity plugin widens the traffic selector as initiator, to later
dynamically reduce it to what has been negotiated with the Split-Include
Unity extension.

If the plugin is enabled, this is done on all connections where the
Unity Vendor ID has been received, which is likely with Cisco boxes.

I've recently pushed a patch [1] which disables that behavior if no
Split-Include attribute has been received on the connection. Please try
that patch, I think it should fix this issue.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1a62fb0a



More information about the Users mailing list