On Sun, 2018-01-07 at 17:54 -0800, Daniel Lenski wrote: > > This patch tracks the latest sequence number even if ESP replay protection > isn't in use -- however inadvisable that may be -- allowing the handover to > work correctly.
This implies that the seq# *is* being set in these packets. So we come back to my question in the source code from three years ago: /* Why in $DEITY's name would you ever *not* set this? Perhaps we * should do th check anyway, but only warn instead of discarding * the packet? */ if (vpninfo->esp_replay_protect && (Shudder. I hate seeing old typos of my own)
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list [email protected] http://lists.infradead.org/mailman/listinfo/openconnect-devel
