From 4edc0611ec0ab39147c136d769a9e8a0f50847e6 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 2 Feb 2024 20:44:29 +0100
Subject: ipsec: T5998: add replay-windows setting

The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.

* set vpn ipsec site-to-site peer <name> replay-window <0-2040>

(cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
---
 .../include/ipsec/replay-window.xml.i                 | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 interface-definitions/include/ipsec/replay-window.xml.i

(limited to 'interface-definitions/include/ipsec')

diff --git a/interface-definitions/include/ipsec/replay-window.xml.i b/interface-definitions/include/ipsec/replay-window.xml.i
new file mode 100644
index 000000000..f35ed550a
--- /dev/null
+++ b/interface-definitions/include/ipsec/replay-window.xml.i
@@ -0,0 +1,19 @@
+<!-- include start from ipsec/replay-window.xml.i -->
+<leafNode name="replay-window">
+    <properties>
+      <help>IPsec replay window to configure for this CHILD_SA</help>
+      <valueHelp>
+        <format>u32:0</format>
+        <description>Disable IPsec replay protection</description>
+      </valueHelp>
+      <valueHelp>
+        <format>u32:1-2040</format>
+        <description>Replay window size in packets</description>
+      </valueHelp>
+      <constraint>
+        <validator name="numeric" argument="--range 0-2040"/>
+      </constraint>
+    </properties>
+    <defaultValue>32</defaultValue>
+  </leafNode>
+  <!-- include end -->
-- 
cgit v1.2.3