From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Jun 2016 12:56:37 +0000 (+0200)
Subject: kernel-netlink: Don't set replay window for outbound SAs
X-Git-Tag: 5.5.0dr1~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=408282196453b3f610c758d6f96236ac1e9da3c7;p=thirdparty%2Fstrongswan.git

kernel-netlink: Don't set replay window for outbound SAs

It's not necessary and might waste memory.  However, if ESN is used we set
the window to 1 as the kernel rejects the attribute otherwise.
---

diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index 7e60982f77..9c2a7c3151 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1587,6 +1587,12 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	if (id->proto != IPPROTO_COMP)
 	{
+		/* generally, we don't need a replay window for outbound SAs, however,
+		 * when using ESN the kernel rejects the attribute if it is 0 */
+		if (!data->inbound && data->replay_window)
+		{
+			data->replay_window = data->esn ? 1 : 0;
+		}
 		if (data->replay_window != 0 && (data->esn || data->replay_window > 32))
 		{
 			/* for ESN or larger replay windows we need the new