This reverts commit
8b9b11919d92e9738bb52901c9dbcc72e35b9fed.
Since ESN was negotiated via proposal, just configuring the SA without
ESN won't work as the ICV will be incorrect if the peer enabled ESN
on its SA. While the Linux kernel currently doesn't support disabling
replay protection for SAs that use ESN, this at least gets users an
explicit error not just dropped packets, and it will automatically work
if the kernel supports this combination at some point.
References strongswan/strongswan#2117
{
data->replay_window = data->esn ? 1 : 0;
}
- if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
+ if (data->esn || data->replay_window > 32)
{
/* for ESN or larger replay windows we need the new
* XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */