On Sun, 2018-01-07 at 17:54 -0800, Daniel Lenski wrote: > > This patch tracks the latest sequence number even if ESP replay protection > isn't in use -- however inadvisable that may be -- allowing the handover to > work correctly. This implies that the seq# *is* being set in these packets. So we come back to my question in the source code from three years ago: ? ? ? ?/* Why in $DEITY's name would you ever *not* set this? Perhaps we ? ? ? ? * should do th check anyway, but only warn instead of discarding ? ? ? ? * the packet? */ ? ? ? ?if (vpninfo->esp_replay_protect && (Shudder. I hate seeing old typos of my own) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5213 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20180108/c5f10e17/attachment.bin>
