From 4edc0611ec0ab39147c136d769a9e8a0f50847e6 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Fri, 2 Feb 2024 20:44:29 +0100
Subject: ipsec: T5998: add replay-windows setting

The replay_window for child SA will always be 32 (hence enabled). Add a CLI node
to explicitly change this.

* set vpn ipsec site-to-site peer <name> replay-window <0-2040>

(cherry picked from commit 4d943d8fbf1253154897179b0e3ea2d93b898197)
---
 interface-definitions/vpn_ipsec.xml.in | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'interface-definitions/vpn_ipsec.xml.in')

diff --git a/interface-definitions/vpn_ipsec.xml.in b/interface-definitions/vpn_ipsec.xml.in
index 9d1d5d824..44ca1c7a0 100644
--- a/interface-definitions/vpn_ipsec.xml.in
+++ b/interface-definitions/vpn_ipsec.xml.in
@@ -826,6 +826,7 @@
                   #include <include/ipsec/ike-group.xml.i>
                   #include <include/ipsec/local-address.xml.i>
                   #include <include/ipsec/local-traffic-selector.xml.i>
+                  #include <include/ipsec/replay-window.xml.i>
                   <leafNode name="timeout">
                     <properties>
                       <help>Timeout to close connection if no data is transmitted</help>
@@ -1100,6 +1101,7 @@
                   </leafNode>
                   #include <include/ipsec/local-address.xml.i>
                   #include <include/ipsec/remote-address.xml.i>
+                  #include <include/ipsec/replay-window.xml.i>
                   <tagNode name="tunnel">
                     <properties>
                       <help>Peer tunnel</help>
-- 
cgit v1.2.3