kernel-netlink: Don't set replay window for outbound SAs

It's not necessary and might waste memory.  However, if ESN is used we set
the window to 1 as the kernel rejects the attribute otherwise.

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 7e60982f775e82e2f624b198a78d6d11aa71ec49..9c2a7c31517af4f7683740fc19ced30a5260ba64 100644 (file)
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1587,6 +1587,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
        if (id->proto != IPPROTO_COMP)
        {
+               /* generally, we don't need a replay window for outbound SAs, however,
+                * when using ESN the kernel rejects the attribute if it is 0 */
+               if (!data->inbound && data->replay_window)
+               {
+                       data->replay_window = data->esn ? 1 : 0;
+               }
                if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
                {
                        /* for ESN or larger replay windows we need the new