While trying to debug the rekey logic for the (as-yet-unmerged) GlobalProtect, I noticed a problem with the "incoming SPI handoff" logic: openconnect is supposed to allow up to 32 packets from the OLD incoming SPI after the rekey. However, it turns out that this would never work except when replay protection is enabled: the packets from the OLD incoming SPI would be dropped immediately. It might be a really bad idea not to enable ESP replay protection, but I've seen several Juniper VPNs which don't, and there's no reason to prevent the ESP rekey from working smoothly even if replay protection isn't enabled, right? Daniel Lenski (1): Save latest ESP sequence number even if replay protection isn't in use esp.c | 2 +- gnutls-esp.c | 2 ++ openssl-esp.c | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) -- 2.7.4
