From: Martin Willi Date: Wed, 18 Jun 2014 14:50:18 +0000 (+0200) Subject: child-sa: Set replay window on both inbound and outbound SA X-Git-Tag: 5.2.0rc1~35 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=758dc8a953639d7522b31004d2261ed04b474d7a;p=thirdparty%2Fstrongswan.git child-sa: Set replay window on both inbound and outbound SA While the outbound SA actually does not need a replay window, the kernel rejects zero replay windows on SAs using ESN. The ESN flag is required to use the full sequence number in ICV calculation, hence we set the replay window. This restores the behavior we had before 30c009c2. --- diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index bcb0ca20f0..a96ab4e907 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -639,7 +639,6 @@ METHOD(child_sa_t, install, status_t, host_t *src, *dst; status_t status; bool update = FALSE; - u_int32_t replay_window = 0; /* now we have to decide which spi to use. Use self allocated, if "in", * or the one in the proposal, if not "in" (others). Additionally, @@ -654,9 +653,6 @@ METHOD(child_sa_t, install, status_t, } this->my_spi = spi; this->my_cpi = cpi; - - /* required on inbound SA only */ - replay_window = this->config->get_replay_window(this->config); } else { @@ -726,8 +722,8 @@ METHOD(child_sa_t, install, status_t, src, dst, spi, proto_ike2ip(this->protocol), this->reqid, inbound ? this->mark_in : this->mark_out, tfc, lifetime, enc_alg, encr, int_alg, integ, this->mode, - this->ipcomp, cpi, replay_window, initiator, this->encap, - esn, update, src_ts, dst_ts); + this->ipcomp, cpi, this->config->get_replay_window(this->config), + initiator, this->encap, esn, update, src_ts, dst_ts); free(lifetime);