What is the window size for the "Enable Replay Protection” option for IPSec tunnel?

What is the window size for the "Enable Replay Protection” option for IPSec tunnel?

50836
Created On 10/23/19 23:07 PM - Last Modified 08/20/22 07:22 AM


Question


  • What is the window size for the "Enable Replay Protection” option for IPSec tunnel?
  • The “Enable Replay Protection” option for IPSec tunnel is found under Network > IPSec Tunnels > IPSec Tunnel, when enabling "Show Advanced Options" on the General TAB for  IPSec tunnel settings.
  • This option is used to protect against replay attacks.

Environment


  • Palo Alto Networks Strata Firewalls
  • PAN-OS 10.0 or below. 
Note: Anti-replay window size value can be modified starting from PanOS 10.1 or above. Refer to Auto Key under General Settings
 

Answer


  1. The replay window size is 64 packets and it is not configurable on the Palo Alto NGFW (This note is applicable to PanOS 10.0 or below only)
  2. "show vpn flow" commend can be used to check the same. 
  3. Notice there is no Anti-replay window size is Not visible. (Applicable to PanOS 10.0 or below) 
    >show vpn flow 

# Look for the VPN tunnel and it's tunnel ID in question. 

>  show vpn flow tunnel-id 1 | match replay

        anti replay check:      yes 

# Use the tunnel ID to identify the anti-replay window for that specific tunnel.
  4. The same command on PanOS 10.1 and above provides the window size value.  
    show vpn flow tunnel-id 1 | match replay
        anti replay check:      yes
        anti replay window:     1024
        replay packets:         0

Additional Information


  • Anti-replay is a sub-protocol of IPsec that is part of Internet Engineering Task Force (IETF). The main goal of anti-replay is to avoid hackers injecting or making changes in packets that travel from a source to a destination. Anti-replay protocol uses a unidirectional security association in order to establish a secure connection between two nodes in the network. Once a secure connection is established, the anti-replay protocol uses packet sequence numbers to defeat replay attacks as follows: When the source sends a message, it adds a sequence number to its packet; the sequence number starts at 0 and is incremented by 1 for each subsequent packet. The destination maintains a 'sliding window' record of the sequence numbers of validated received packets; it rejects all packets which have a sequence number which is lower than the lowest in the sliding window (i.e. too old) or already appears in the sliding window (i.e. duplicates/replays). Accepted packets, once validated, update the sliding window (displacing the lowest sequence number out of the window if it was already full).
  • RFC 4303 - IP Encapsulating Security Payload (ESP)
  • RFC 6479 - IPsec Anti-Replay Algorithm without Bit Shifting
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNBZCA4&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language