[strongSwan] fortiOS multiple pair of selectors per CHILD_SA
Marco Berizzi
pupilla at hotmail.com
Wed Sep 5 18:17:06 CEST 2018
I have successfully established an ipsec IKEv2 tunnel
with a fortigate 1200D/FortiOS v5.2.4
It is the first device where I'm able to get multiple
pair of selectors per CHILD_SA.
The tricky thing to pay attention, is the comma separated
list sequence, in the remote_ts parameter.
For example, this sequence was rejected by the remote
peer:
remote_ts = 192.168.32.0/24,10.20.29.75/32
with the following error message:
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
instead the following one was working:
remote_ts = 10.20.29.75/32,192.168.32.0/24
Is this the expected behavior by RFC?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180905/5a969635/attachment.html>
More information about the Users
mailing list