[strongSwan] anti replay notification related
Martin Willi
martin at strongswan.org
Tue Aug 6 11:27:43 CEST 2013
> We tested and found that setting "charon.replay_window" to zero doesn't
> disable the anti-replay. I think it defaults to "32" packet window
> size.
I think that should work, but only when using the kernel-netlink kernel
backend. charon just forwards this value to the kernel, it is not
enforced by strongSwan itself.
Can you double-check that "ip xfrm state" shows a replay window of 0? If
yes, you might check how your kernel handles a replay window of zero.
Regards
Martin
More information about the Users
mailing list