Hi Tobias, I see, however, I don't think iked would negotiate an SA without ESN support if the other side supports ESN, so I'm not sure how "enforcing" changes that.
In any case, I'm not opposed to adding a toggle if you guys need it, but could you please adjust the grammar so that "esn" and "no esn" are used instead of "on" and "off" since that's what we're normally doing. "on" and "off" are clutches for simple file formats, parse.y allows you to make it a bit nicer. Regards, Mike On Mon, 11 Nov 2019 at 16:38, Tobias Heider <tobias.hei...@stusta.de> wrote: > Sure, I have a crypto device that only supports SAs with ESN. > For it to be used I have to force iked to only negotiate SAs with ESP > support. > Another one is high-speed network cards: > Accepting a policy with ESN disabled can throttle my throughput because it > exhausts the sequence number space forcing me to rekey more often than I > would > like. > > On Mon, Nov 11, 2019 at 04:15:32PM +0100, Mike Belopuhov wrote: > > On Mon, 11 Nov 2019 at 16:08, Tobias Heider <tobias_hei...@genua.de> > wrote: > > > > > Hi Mike, > > > > > > the default behaviour is the same as before. I ran into cases where it > is > > > necessary for me to enforce ESN to be enabled/disabled, which is not > > > possible > > > currently. > > > > > > > Can you please describe those cases where you had to enforce it? >
