[PATCH] make ESP rekey handle incoming packets even if ESP replay protection isn't in use
Daniel Lenski
dlenski at gmail.com
Sun Jan 7 17:54:37 PST 2018
While trying to debug the rekey logic for the (as-yet-unmerged)
GlobalProtect, I noticed a problem with the "incoming SPI handoff" logic:
openconnect is supposed to allow up to 32 packets from the OLD incoming SPI
after the rekey.
However, it turns out that this would never work except when replay
protection is enabled: the packets from the OLD incoming SPI would be dropped
immediately.
It might be a really bad idea not to enable ESP replay protection, but I've
seen several Juniper VPNs which don't, and there's no reason to prevent the
ESP rekey from working smoothly even if replay protection isn't enabled, right?
Daniel Lenski (1):
Save latest ESP sequence number even if replay protection isn't in use
esp.c | 2 +-
gnutls-esp.c | 2 ++
openssl-esp.c | 3 ++-
3 files changed, 5 insertions(+), 2 deletions(-)
--
2.7.4
More information about the openconnect-devel
mailing list