From 8b9b11919d92e9738bb52901c9dbcc72e35b9fed Mon Sep 17 00:00:00 2001
From: Martin Willi <martin@revosec.ch>
Date: Wed, 18 Jun 2014 14:57:21 +0200
Subject: kernel-netlink: Never use XFRMA_REPLAY_ESN_VAL to configure zero
 replay windows

Trying to disable replay windows using the ESN attribute fails with EINVAL.
Use non-ESN legacy format to disable replay windows, even if ESN has been
negotiated over IKE.
---
 src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c')

diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index c015c0f32..1e250d004 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1460,7 +1460,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
 
 	if (protocol != IPPROTO_COMP)
 	{
-		if (esn || replay_window > 32)
+		if (replay_window != 0 && (esn || replay_window > 32))
 		{
 			/* for ESN or larger replay windows we need the new
 			 * XFRMA_REPLAY_ESN_VAL attribute to configure a bitmap */
-- 
cgit v1.2.3