man: Describe the tunneling of several subnets with IKEv1 in more detail

author Noel Kuntze <noel@familie-kuntze.de>

Mon, 13 Mar 2017 15:20:39 +0000 (16:20 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Thu, 23 Mar 2017 17:26:54 +0000 (18:26 +0100)
author Noel Kuntze <noel@familie-kuntze.de>
Mon, 13 Mar 2017 15:20:39 +0000 (16:20 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Thu, 23 Mar 2017 17:26:54 +0000 (18:26 +0100)
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in

index 3fa34c5..5d1c639 100644 (file)
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -913,7 +913,9 @@ the greatest common subnet. In IKEv1, this may lead to problems with other
  implementations, make sure to configure identical subnets in such
  configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
  interprets the first subnet of such a definition, unless the Cisco Unity
-extension plugin is enabled.
+extension plugin is enabled. This is due to a limitation of the IKEv1 protocol,
+which only allows a single pair of subnets per CHILD_SA. So to tunnel several
+subnets a conn entry has to be defined and brought up for each pair of subnets.
  
  The optional part after each subnet enclosed in square brackets specifies a
  protocol/port to restrict the selector for that subnet.
author	Noel Kuntze <noel@familie-kuntze.de>
	Mon, 13 Mar 2017 15:20:39 +0000 (16:20 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 23 Mar 2017 17:26:54 +0000 (18:26 +0100)