ipsec: set ignore_acquire_ts to allow ASA compat

Let's try this unconditionally. From the manual... If this is disabled the traffic selectors from the kernel's acquire events, which are derived from the triggering packet, are prepended to the traffic selectors from the configuration for IKEv2 connection. By enabling this, such specific traffic selectors will be ignored and only the ones in the config will be sent. This always happens for IKEv1 connections as the protocol only supports one set of traffic selectors per CHILD_SA. PR: https://forum.opnsense.org/index.php?topic=8539.0
2026-03-17 01:54:49 +00:00 · 2018-05-02 16:02:17 +02:00 · 2018-05-02 16:02:17 +02:00 · 9a604aa5bb
commit 9a604aa5bb
parent 5e41585d2c
1 changed files with 2 additions and 2 deletions
--- a/src/etc/inc/plugins.inc.d/ipsec.inc
+++ b/src/etc/inc/plugins.inc.d/ipsec.inc
@ -887,12 +887,12 @@ starter {
 }

 charon {
-
    # number of worker threads in charon
    threads = 16
    ikesa_table_size = 32
    ikesa_table_segments = 4
-    init_limit_half_open = 1000;
+    init_limit_half_open = 1000
+    ignore_acquire_ts = yes
 {$cnf_add_to_charon_section}

 EOD;