Hi Emeric, Thanks for the patch. Seems like [1] would fix this for all kernel backends that don't know if an SA is inbound or not equally.
A patch for 5.3.2 is attached. Regards, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=13fc4569
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 94cf07c335c1..018b65875943 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -750,7 +750,8 @@ METHOD(child_sa_t, install, status_t, src, dst, spi, proto_ike2ip(this->protocol), this->reqid, inbound ? this->mark_in : this->mark_out, tfc, lifetime, enc_alg, encr, int_alg, integ, this->mode, - this->ipcomp, cpi, this->config->get_replay_window(this->config), + this->ipcomp, cpi, + inbound ? this->config->get_replay_window(this->config) : 0, initiator, this->encap, esn, inbound, update, src_ts, dst_ts); free(lifetime);
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
