The VPN gateway must enable anti-replay for all IPSec security associations.

From IPSec VPN Gateway Security Technical Implementation Guide

Part of Anti-replay is not enabled for all IPSec security.

Associated with IA controls: ECSC-1

SV-40998r1_rule The VPN gateway must enable anti-replay for all IPSec security associations.

Vulnerability discussion

Replay attack is a type of injection attack when an IPSec packet is captured by an attacker and re-inserts it into the legitimate flow to disrupt service or create undesired behavior. IPSec anti-replay service can mitigate a replay attack by running sequence numbers for each end of the tunnel and incrementing it for each packet sent. If a packet that is received does not have the expected sequence number, it is dropped.

Check content

Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and determine if anti-replay is enabled. If anti-replay is not configured, determine if the feature is enabled by default.

Fix text

Enable anti-replay on all IPSec security associations either within IPSec profiles or as a global command.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer