Sure, I have a crypto device that only supports SAs with ESN. For it to be used I have to force iked to only negotiate SAs with ESP support. Another one is high-speed network cards: Accepting a policy with ESN disabled can throttle my throughput because it exhausts the sequence number space forcing me to rekey more often than I would like.
On Mon, Nov 11, 2019 at 04:15:32PM +0100, Mike Belopuhov wrote: > On Mon, 11 Nov 2019 at 16:08, Tobias Heider <tobias_hei...@genua.de> wrote: > > > Hi Mike, > > > > the default behaviour is the same as before. I ran into cases where it is > > necessary for me to enforce ESN to be enabled/disabled, which is not > > possible > > currently. > > > > Can you please describe those cases where you had to enforce it?
