[strongSwan] anti replay notification related
Patil, Shashidhar 1. (NSN - IN/Bangalore)
shashidhar.1.patil at nsn.com
Tue Aug 6 08:53:07 CEST 2013
Hi Martin,
We tested and found that setting "charon.replay_window" to zero doesn't disable the anti-replay.
I think it defaults to "32" packet window size.
Is there a plan to provide fix/patch for disabling anti-replay ?
BR,
Shashidhar
-----Original Message-----
From: ext Martin Willi [mailto:martin at strongswan.org]
Sent: Friday, May 03, 2013 1:41 PM
To: Patil, Shashidhar 1. (NSN - IN/Bangalore)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] anti replay notification related
Hi,
> But I couldn't see any parameter to achieve this in the 4306/5996 as
> part of INIT, auth or create_child_SA messages. Could you please put
> more light on this topic ?
There is no mechanism in IKEv2 to negotiate anti-replay window options.
> How do we enable/disable anti replay on strongswan?
> How to set the "anti-replay" window ?
The kernel-netlink plugin can configure the size of the anti-replay
window using the strongswan.conf "charon.replay_window" option. A value
of zero should disable anti-replay detection completely, but I have
never tried it.
Regards
Martin
More information about the Users
mailing list