Send CISCO FLexVPN vendor ID #180
Conversation
…o "yes". Option description: charon.send_cisco_flexvpn_vendor_id = no Send the CISCO FlexVPN vendor ID. It is required in order to make CISCO brand devicesallow negotiating a local_ts (from strongSwan's point of view) that is not the assigned "virtual" IP address, if a "virtual" IP address is requested by strongSwan. Sending the CISCO FlexVPN vendor ID makes the CISCO peer allow this peer to negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead (unknow if it works for IPv6 too). This has been tested with a "tunnel mode ipsec ipv4" CISCO template but should also work for GRE encapsulation.
Thermi
force-pushed
the
cisco-flexvpn-vendor-id
branch
from
b8d25cb
to
0049af2
Compare
|
Check failures are unrelated to the PR. |
|
Thanks, Noel. I've pushed a modified version of your patch to the cisco-flexvpn-vendor-id branch (renamed the option to match that for Cisco Unity and modified description and commit message). Do you know of any documentation of this feature/vendor ID from Cisco? While I found some documentation of FlexVPN, this particular vendor ID is never mentioned. |
|
Thank you for pushing it to that branch. Other than that, which I just found, I have no documentation. |
Thanks. Interesting, the workaround (only visible after logging in) actually refers to strongSwan and sending the VID payload to fake support for FlexVPN. |
|
That bug was was opened in response to a support ticket I created with Cisco about the issue, you can use this public link for a more cursory description of the issue without a Cisco support account. It's a request for an improvement that would allow a Cisco side configuration to permit clients to use the 0.0.0.0/0 tunnel selector instead of forcing the remote side selector to use of the assigned IP when the VID is not received. There is no other public documentation of this behaviour that I am aware of; there was another bug but I can't locate it. I believe the support team identified the cause of the issue from the IOS source code. I'll update the issue if I can obtain any other public information about it. |
|
Thanks for the update. |
Send CISCO FLexVPN vendor ID if send_cisco_flexvpn_vendor_id is set to "yes".
Option description:
Send the CISCO FlexVPN vendor ID. It is required in order to make CISCO brand devices allow negotiating a local_ts (from strongSwan's point of view) that is not the assigned "virtual" IP address, if a "virtual" IP address is requested by strongSwan. Sending the CISCO FlexVPN vendor ID makes the CISCO peer allow this peer to negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead (unknow if it works for IPv6 too). This has been tested with a "tunnel mode ipsec ipv4" CISCO template but should also work for GRE encapsulation.