Revert "kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows"

This reverts commit 8b9b11919d92e9738bb52901c9dbcc72e35b9fed.

Since ESN was negotiated via proposal, just configuring the SA without
ESN won't work as the ICV will be incorrect if the peer enabled ESN
on its SA.  While the Linux kernel currently doesn't support disabling
replay protection for SAs that use ESN, this at least gets users an
explicit error not just dropped packets, and it will automatically work
if the kernel supports this combination at some point.

References strongswan/strongswan#2117

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 2420236d3b75966c8d5529a95d07dfc62d2778f1..db0b2ac37a6afd47a8ab896df0d4945039169a8a 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -2046,7 +2046,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
                {
                        data->replay_window = data->esn ? 1 : 0;
                }
-               if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
+               if (data->esn || data->replay_window > 32)
                {
                        /* for ESN or larger replay windows we need the new
                         * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */