addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SA
authorMartin Willi <martin@strongswan.org>
Wed, 22 Feb 2017 09:01:19 +0000 (10:01 +0100)
committerMartin Willi <martin@strongswan.org>
Thu, 2 Mar 2017 07:24:02 +0000 (08:24 +0100)
commitd536b94e0d12543e548ed4f0df2220384293f08e
treee738bf30202cd9619e068e735b21528b58e91903
parentd1317adb9a45166cdc8f44117a5fa85ecd053552
addrblock: Use dynamic TS narrowing instead of rejecting the whole CHILD_SA

Previously, the client had to propose no wider selectors than the certificate
permits, otherwise the complete CHILD_SA was rejected. However, with IKEv2
we can dynamically narrow the selectors to what the certificate allows. This
makes client and gateway configurations very simple by just proposing 0.0.0.0/0,
narrowed to selectors the client is permitted to route into the network.
src/libcharon/plugins/addrblock/addrblock_narrow.c