[Swan] SA-replayed-pkt
Paul Wouters
paul at nohats.ca
Fri Jan 4 04:04:32 UTC 2019
On Mon, 26 Nov 2018, Ted Toth wrote:
> On a RHEL7 system running selinux-policy-mls and labeled ipsec I'm
> seeing a lot of MAC_IPSEC_EVENT messages in the audit log with
> op=SA-replayed-pkt. These look worrying to me but I have been able to
> find out much about what they are actually telling me can anyone help
> me out? Should I be worried?
(sorry for the late reply)
That looks like you are seeing retransmitted packets. Each IPsec packet
has a sequence number. The IPsec SA has a "replay window" within in
which store/keep packets that arrived out of order. Outside that window,
it will drop the packet.
One possibility is that the error for a replayed packet that is dropped
(actually receiving the same packet twice within the replay window)
is the same audit event as a packet arriving outside the replay window
for which we can no longer determine if it was a duplicate.
If this is happening on high speed links (gbps) then perhaps increase
the replay-window from the standard 32 to something higher (64? 2048?)
or if this is a high speed link within the same administrative boundary
where you are confident no one can send you spoofed/replayed packets,
you can set replay-window=0 to disable all replay detection.
Or, you need to investigate if there really is something malicious
happening :)
Paul
More information about the Swan
mailing list