Hello, I noticed the replay window parameter is given in number of packets:
strongswan.conf: charon.replay_window 32 Size of the AH/ESP replay window, in packets. ipsec.conf: replay_window = -1 | <number> The IPsec replay window size for this connection. With the default of -1 the value configured with charon.replay_window in strongswan.conf is used. Larger values than 32 are supported using the Netlink backend only, a value of 0 disables IPsec replay protection. Available since 5.2.0. However, FreeBSD seems to considerer the sadb_sa_replay parameter in bytes and not in packets: http://svnweb.freebsd.org/base/head/sys/netipsec/key.c?view=markup#l3107 In strongswan: sa->sadb_sa_replay = min(replay_window, 32); Therefore, setting '32' sets a replay window of 32*8 (32 bytes are used by the replay window checker). The RFC does not say anything about the unit to be used. But it looks like everybody use bytes? BTW, I did not see anything about the "32" limit. What do you think? Emeric _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
