ipsec: set ignore_acquire_ts to allow ASA compat

Let's try this unconditionally. From the manual... If this is disabled the traffic selectors from the kernel's acquire events, which are derived from the triggering packet, are prepended to the traffic selectors from the configuration for IKEv2 connection. By enabling this, such specific traffic selectors will be ignored and only the ones in the config will be sent. This always happens for IKEv1 connections as the protocol only supports one set of traffic selectors per CHILD_SA. PR: https://forum.opnsense.org/index.php?topic=8539.0
opnsense · May 2, 2018 · 9a604aa · 9a604aa
1 parent 5e41585
commit 9a604aa
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/src/etc/inc/plugins.inc.d/ipsec.inc b/src/etc/inc/plugins.inc.d/ipsec.inc
@@ -887,12 +887,12 @@ starter {
 }
 
 charon {
-
     # number of worker threads in charon
     threads = 16
     ikesa_table_size = 32
     ikesa_table_segments = 4
-    init_limit_half_open = 1000;
+    init_limit_half_open = 1000
+    ignore_acquire_ts = yes
 {$cnf_add_to_charon_section}
 
 EOD;