Update ipsec.rst

docs/configuration/vpn/ipsec.rst

@@ -170,11 +170,11 @@ Options (Global IPsec settings) Attributes
 
  * ``disable-route-autoinstall`` Do not automatically install routes to remote networks;
  
- * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only);
+ * ``flexvpn`` Allow FlexVPN vendor ID payload (IKEv2 only). Send the Cisco FlexVPN vendor ID payload (IKEv2 only), which is required in order to make Cisco brand devices allow negotiating a local traffic selector (from strongSwan's point of view) that is not the assigned virtual IP address if such an address is requested by strongSwan. Sending the Cisco FlexVPN vendor ID prevents the peer from narrowing the initiator's local traffic selector and allows it to e.g. negotiate a TS of 0.0.0.0/0 == 0.0.0.0/0 instead. This has been tested with a "tunnel mode ipsec ipv4" Cisco template but should also work for GRE encapsulation;
  
- * ``interface`` Interface Name to use;
+ * ``interface`` Interface Name to use. The name of the interface on which virtual IP addresses should be installed. If not specified the addresses will be installed on the outbound interface;
  
- * ``virtual-ip`` Allow install virtual-ip addresses.
+ * ``virtual-ip`` Allow install virtual-ip addresses. Comma separated list of virtual IPs to request in IKEv2 configuration payloads or IKEv1 Mode Config. The wildcard addresses 0.0.0.0 and :: request an arbitrary address, specific addresses may be defined. The responder may return a different address, though, or none at all.
  
 *************************
 IPsec policy matching GRE