@@ -490,6 +490,13 @@ def setup_tunnel_routes(r1con, r2con, tun_ipv6, network3):
490490 return r1ipnh , r1ip6nh , r2ipnh , r2ip6nh
491491
492492
493+ def esp_args_filter_dir (direction , esp_args ):
494+ """Filter out esp args inappropriate for the direction."""
495+ if direction != "in" :
496+ esp_args = re .sub (r"replay-window \d+" , "" , esp_args )
497+ return esp_args
498+
499+
493500def esp_flags_filter_dir (direction , esp_flags ):
494501 """Filter out esp flags inappropriate for the direction."""
495502 if direction == "in" :
@@ -523,6 +530,7 @@ async def setup_policy_tun(
523530 trex = False ,
524531 r1only = False ,
525532 ipsec_intf = "eth2" ,
533+ esp_args = "" ,
526534 esp_flags = "" ,
527535 iptfs_opts = "" ,
528536 ipv4 = True ,
@@ -594,25 +602,25 @@ async def setup_policy_tun(
594602 #
595603 direction = "out" if r == r1 else "in"
596604 eflags = esp_flags_filter_dir (direction , esp_flags )
597- esp_args = "replay-window 128" if direction == "in" else ""
605+ eargs = esp_args_filter_dir ( direction , esp_args )
598606 repl .cmd_raises (
599607 (
600608 f"ip xfrm state add src { r1ip } { r2ip }
601609 f"spi { spi_1to2 } { mode } { sa_auth } { sa_enc }
602- f"{ esp_args } { eflags } { reqid_1to2 } { direction }
610+ f"{ eargs } { eflags } { reqid_1to2 } { direction }
603611 # f"reqid {reqid_1to2} "
604612 )
605613 + iptfs_opts_filter_dir (direction , iptfs_opts )
606614 )
607615
608616 direction = "in" if r == r1 else "out"
609617 eflags = esp_flags_filter_dir (direction , esp_flags )
610- esp_args = "replay-window 128" if direction == "in" else ""
618+ eargs = esp_args_filter_dir ( direction , esp_args )
611619 repl .cmd_raises (
612620 (
613621 f"ip xfrm state add src { r2ip } { r1ip }
614622 f"spi { spi_2to1 } { mode } { sa_auth } { sa_enc }
615- f"{ esp_args } { eflags } { reqid_2to1 } { direction }
623+ f"{ eargs } { eflags } { reqid_2to1 } { direction }
616624 # f"reqid {reqid_2to1} "
617625 )
618626 + iptfs_opts_filter_dir (direction , iptfs_opts )
@@ -757,6 +765,7 @@ async def setup_routed_tun(
757765 r1only = False ,
758766 ipsec_intf = "eth2" ,
759767 iptfs_opts = "" ,
768+ esp_args = "" ,
760769 esp_flags = "" ,
761770 ipv4 = True ,
762771 ipv6 = False ,
@@ -835,23 +844,23 @@ async def setup_routed_tun(
835844
836845 direction = "out" if r == r1 else "in"
837846 eflags = esp_flags_filter_dir (direction , esp_flags )
838- esp_args = "replay-window 128" if direction == "in" else ""
847+ eargs = esp_args_filter_dir ( direction , esp_args )
839848 repl .cmd_raises (
840849 (
841850 f"ip xfrm state add src { r1ip } { r2ip }
842851 f"spi { spi_1to2 } { mode } { sa_auth } { sa_enc }
843- f"{ esp_args } { eflags } { reqid_1to2 } { direction }
852+ f"{ eargs } { eflags } { reqid_1to2 } { direction }
844853 )
845854 + iptfs_opts_filter_dir (direction , iptfs_opts )
846855 )
847856 direction = "in" if r == r1 else "out"
848857 eflags = esp_flags_filter_dir (direction , esp_flags )
849- esp_args = "replay-window 128" if direction == "in" else ""
858+ eargs = esp_args_filter_dir ( direction , esp_args )
850859 repl .cmd_raises (
851860 (
852861 f"ip xfrm state add src { r2ip } { r1ip }
853862 f"spi { spi_2to1 } { mode } { sa_auth } { sa_enc }
854- f"{ esp_args } { eflags } { reqid_2to1 } { direction }
863+ f"{ eargs } { eflags } { reqid_2to1 } { direction }
855864 )
856865 + iptfs_opts_filter_dir (direction , iptfs_opts )
857866 )
0 commit comments