[strongSwan] Replay window weirdness with charon

Tobias Brunner tobias at strongswan.org
Thu Sep 27 13:04:15 CEST 2012


Hi Guru,

> My primary goal is to disable the replay protection. In
> strongswan.conf, if I set the "replay_window = 0" (or any value <=
> 32), I see the replay window to be stuck at 32 (when seen with setkey
> -D).

You couldn't configure the replay window to be below the default of 32
via strongswan.conf until now (see the patch at [1] for a fix).

> But, if I set the replay_window with any value >= 32, I see the
> replay window size as 0.

That's a limitation of setkey and iproute2 (ip xfrm state), both these
commands are not able to read the newer attributes used to configure
replay windows larger than 32, which is the largest window supported by
the legacy replay protection code in the kernel.  They simply print the
attribute used to configure that legacy replay window, which has to be
zero if the new attributes are used.

Regards,
Tobias

[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=a79af394




More information about the Users mailing list