child-sa: Set replay window on both inbound and outbound SA

While the outbound SA actually does not need a replay window, the kernel rejects
zero replay windows on SAs using ESN. The ESN flag is required to use the full
sequence number in ICV calculation, hence we set the replay window.

This restores the behavior we had before 30c009c2.

diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index bcb0ca20f056e658e824e38cf7a716f581309041..a96ab4e907043fc73380a80017c88ec02ae03a48 100644 (file)
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -639,7 +639,6 @@ METHOD(child_sa_t, install, status_t,
        host_t *src, *dst;
        status_t status;
        bool update = FALSE;
-       u_int32_t replay_window = 0;
 
        /* now we have to decide which spi to use. Use self allocated, if "in",
         * or the one in the proposal, if not "in" (others). Additionally,
@@ -654,9 +653,6 @@ METHOD(child_sa_t, install, status_t,
                }
                this->my_spi = spi;
                this->my_cpi = cpi;
-
-               /* required on inbound SA only */
-               replay_window = this->config->get_replay_window(this->config);
        }
        else
        {
@@ -726,8 +722,8 @@ METHOD(child_sa_t, install, status_t,
                                src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
                                inbound ? this->mark_in : this->mark_out, tfc,
                                lifetime, enc_alg, encr, int_alg, integ, this->mode,
-                               this->ipcomp, cpi, replay_window, initiator, this->encap,
-                               esn, update, src_ts, dst_ts);
+                               this->ipcomp, cpi, this->config->get_replay_window(this->config),
+                               initiator, this->encap, esn, update, src_ts, dst_ts);
 
        free(lifetime);