From 9a604aa5bb730dadcd73c0171814e85325187a32 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Wed, 2 May 2018 16:02:17 +0200 Subject: [PATCH] ipsec: set ignore_acquire_ts to allow ASA compat Let's try this unconditionally. From the manual... If this is disabled the traffic selectors from the kernel's acquire events, which are derived from the triggering packet, are prepended to the traffic selectors from the configuration for IKEv2 connection. By enabling this, such specific traffic selectors will be ignored and only the ones in the config will be sent. This always happens for IKEv1 connections as the protocol only supports one set of traffic selectors per CHILD_SA. PR: https://forum.opnsense.org/index.php?topic=8539.0 --- src/etc/inc/plugins.inc.d/ipsec.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc index 1286d2292..88beeac35 100644 --- a/src/etc/inc/plugins.inc.d/ipsec.inc +++ b/src/etc/inc/plugins.inc.d/ipsec.inc @@ -887,12 +887,12 @@ starter { } charon { - # number of worker threads in charon threads = 16 ikesa_table_size = 32 ikesa_table_segments = 4 - init_limit_half_open = 1000; + init_limit_half_open = 1000 + ignore_acquire_ts = yes {$cnf_add_to_charon_section} EOD;