Hi Noel, > What format of traffic selectors does the plugin accept in the > X.509 certificate?
The formats defined in RFC 3779 (basically prefixes and ranges). > How does the plugin behave when the user on the side, that uses the > plugin, sets a TS larger than the one permitted by the certificate? > Does it correctly narrow it to the one allowed by the certificate? > Does the plugin make building the CHILD_SA fail if the TS is not > within the data in the certificate? The plugin itself doesn't do any narrowing. After narrowing is complete it checks the negotiated traffic selectors against the constraints in the certificate, if any of them conflict the CHILD_SA fails with TS_UNACCEPTABLE. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
