From d1d5659eadcb5c6a2244de9da81877b05b2a223a Mon Sep 17 00:00:00 2001 From: Noel Kuntze Date: Fri, 24 Jul 2020 22:25:40 +0200 Subject: [PATCH] ike-vendor: Add option to send Cisco FLexVPN vendor ID A new global option enables sending this vendor ID to prevent Cisco devices from narrowing the initiator's local traffic selector to the requested virtual IP, so e.g. 0.0.0.0/0 can be used instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation. Closes strongswan/strongswan#180. --- conf/options/charon.opt | 12 ++++++++++++ src/libcharon/sa/ikev2/tasks/ike_vendor.c | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 52983ee63d..dc052a89a3 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -51,6 +51,18 @@ charon.check_current_path = no connectivity. It will also trigger a MOBIKE update if NAT mappings were removed during the downtime. +charon.cisco_flexvpn = no + Send the Cisco FlexVPN vendor ID payload (IKEv2 only). + + Send the Cisco FlexVPN vendor ID payload, which is required in order to make + Cisco brand devices allow negotiating a local traffic selector (from + strongSwan's point of view) that is not the assigned virtual IP address if + such an address is requested by strongSwan. Sending the Cisco FlexVPN + vendor ID prevents the peer from narrowing the initiator's local traffic + selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 + instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco + template but should also work for GRE encapsulation. + charon.cisco_unity = no Send Cisco Unity vendor ID payload (IKEv1 only). diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c index e81a18a14b..d455f28ab6 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_vendor.c +++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c @@ -97,7 +97,7 @@ static vid_data_t vids[] = { "\x88\x2f\xe5\x6d\x6f\xd2\x0d\xbc\x22\x51\x61\x3b\x2e\xbe\x5b\xeb"}, { "Cisco Delete Reason", 0, NULL, 0, "CISCO-DELETE-REASON" }, - { "Cisco FlexVPN Supported", 0, NULL, 0, + { "Cisco FlexVPN Supported", 0, "cisco_flexvpn", 0, "FLEXVPN-SUPPORTED" }, { "Cisco Copyright (c) 2009", 0, NULL, 0, "CISCO(COPYRIGHT)&Copyright (c) 2009 Cisco Systems, Inc." }, -- 2.47.2