kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero replay windows
authorMartin Willi <martin@revosec.ch>
Wed, 18 Jun 2014 12:57:21 +0000 (14:57 +0200)
committerMartin Willi <martin@revosec.ch>
Wed, 18 Jun 2014 13:04:57 +0000 (15:04 +0200)
Trying to disable replay windows using the ESN attribute fails with EINVAL.
Use non-ESN legacy format to disable replay windows, even if ESN has been
negotiated over IKE.

src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c

index c015c0f..1e250d0 100644 (file)
@@ -1460,7 +1460,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
        if (protocol != IPPROTO_COMP)
        {
-               if (esn || replay_window > 32)
+               if (replay_window != 0 && (esn || replay_window > 32))
                {
                        /* for ESN or larger replay windows we need the new
                         * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */