[strongSwan] esp replay protection?
yordanos beyene
yordanosb at gmail.com
Wed Dec 10 02:47:23 CET 2014
Hello SS team,
Does strongswan 5.x provide esp replay protection with IKEv1?
I can pass packets with seq number 1, 2, 3 , ..., 31, 1, 2,3, ..., 31.
Basically packets with duplicate sequence number are not dropped.
I tried a couple of things to resolve this issue with no success.
1) I set replay windows to 128 in strongswan.conf:
charon.replay_window = 128.
This did not fix the issue.
2) Then I enabled the extended sequence number in ipsec.conf :
esp=aes128-sha1-modp1024-esn-noesn!
It did not make any difference. It still passes packets with duplicate
sequence numbers.
My kernel includes the ESN and replay window support for larger than 32
packets that was added to Kernel 2.6.39.
I appreciate any help.
Thanks!
Jordan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141209/766b9d4c/attachment.html>
More information about the Users
mailing list