[strongSwan] esp replay protection?
Martin Willi
martin at strongswan.org
Wed Dec 10 11:12:32 CET 2014
Hi Jordan,
> Does strongswan 5.x provide esp replay protection with IKEv1?
Yes.
> I can pass packets with seq number 1, 2, 3 , ..., 31, 1, 2,3, ..., 31.
> Basically packets with duplicate sequence number are not dropped.
In my tests this works as expected, both for IKEv1 and IKEv2, and with a
replay window of 32 and 128. I used the following test procedure:
* Establish a CHILD_SA or Quick Mode (tunnel mode, net-to-net)
* Send two ping messages
* Delete the outbound SA using "ip xfrm state delete"
* Add the same outbound SA using "ip xfrm state add", effectively
resetting the outbound ESP sequence number
* Send an additional four ping messages
>From the last ping sequence, the first two messages fail, because the
remote end already processed these sequence numbers. Ping 3 and 4
succeed, because the replay counter allows these sequence numbers. I
also could confirm that the remote end rejected these packets with two
XfrmInStateSeqError in /proc/net/xfrm_stat.
Regards
Martin
More information about the Users
mailing list