From: Martin Willi <martin@revosec.ch>
Date: Wed, 18 Jun 2014 12:57:21 +0000 (+0200)
Subject: kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows
X-Git-Tag: 5.2.0rc1~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8b9b11919d92e9738bb52901c9dbcc72e35b9fed;p=thirdparty%2Fstrongswan.git

kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows

Trying to disable replay windows using the ESN attribute fails with EINVAL.
Use non-ESN legacy format to disable replay windows, even if ESN has been
negotiated over IKE.
---

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index c015c0f321..1e250d0048 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1460,7 +1460,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	if (protocol != IPPROTO_COMP)
 	{
-		if (esn || replay_window > 32)
+		if (replay_window != 0 && (esn || replay_window > 32))
 		{
 			/* for ESN or larger replay windows we need the new
 			 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */