Hi Guru, > My primary goal is to disable the replay protection. In > strongswan.conf, if I set the "replay_window = 0" (or any value <= > 32), I see the replay window to be stuck at 32 (when seen with setkey > -D).
You couldn't configure the replay window to be below the default of 32 via strongswan.conf until now (see the patch at [1] for a fix). > But, if I set the replay_window with any value >= 32, I see the > replay window size as 0. That's a limitation of setkey and iproute2 (ip xfrm state), both these commands are not able to read the newer attributes used to configure replay windows larger than 32, which is the largest window supported by the legacy replay protection code in the kernel. They simply print the attribute used to configure that legacy replay window, which has to be zero if the new attributes are used. Regards, Tobias [1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=a79af394 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
