[strongSwan] esp replay protection?

Yordanosb Between yordanosb at gmail.com
Wed Dec 10 17:27:22 CET 2014

Thank you Martin for the details. Glad to hear both IKE versions support anti replay. 

I will check with the steps you shared. 

 I am wondering if my configuration is wrong.  

I am running strongswan version 5.0.1 and I am using the strongswan global replay window to configure a value.

Do I need to apply "esn" to the esp configuration for IKV1. I am okay with using just 32 bit sequence numbers unless it is required for anti replay.
If it is okay with you, please share with me your ipsec and strongswan configuration. 


Sent from my iPhone

> On Dec 10, 2014, at 2:12 AM, Martin Willi <martin at strongswan.org> wrote:
> Hi Jordan,
>> Does strongswan 5.x provide esp replay protection with IKEv1?
> Yes.
>> I can pass packets with seq number 1, 2, 3 , ..., 31, 1, 2,3, ..., 31.
>> Basically packets with duplicate sequence number are not dropped.
> In my tests this works as expected, both for IKEv1 and IKEv2, and with a
> replay window of 32 and 128. I used the following test procedure:
>      * Establish a CHILD_SA or Quick Mode (tunnel mode, net-to-net)
>      * Send two ping messages
>      * Delete the outbound SA using "ip xfrm state delete"
>      * Add the same outbound SA using "ip xfrm state add", effectively
>        resetting the outbound ESP sequence number
>      * Send an additional four ping messages
> From the last ping sequence, the first two messages fail, because the
> remote end already processed these sequence numbers. Ping 3 and 4
> succeed, because the replay counter allows these sequence numbers. I
> also could confirm that the remote end rejected these packets with two
> XfrmInStateSeqError in /proc/net/xfrm_stat.
> Regards
> Martin

More information about the Users mailing list