[Swan] SA-replayed-pkt

Paul Wouters paul at nohats.ca
Fri Jan 4 04:04:32 UTC 2019

On Mon, 26 Nov 2018, Ted Toth wrote:

> On a RHEL7 system running selinux-policy-mls and labeled ipsec I'm
> seeing a lot of MAC_IPSEC_EVENT messages in the audit log with
> op=SA-replayed-pkt. These look worrying to me but I have been able to
> find out much about what they are actually telling me can anyone help
> me out? Should I be worried?

(sorry for the late reply)

That looks like you are seeing retransmitted packets. Each IPsec packet
has a sequence number. The IPsec SA has a "replay window" within in
which store/keep packets that arrived out of order. Outside that window,
it will drop the packet.

One possibility is that the error for a replayed packet that is dropped
(actually receiving the same packet twice within the replay window)
is the same audit event as a packet arriving outside the replay window
for which we can no longer determine if it was a duplicate.

If this is happening on high speed links (gbps) then perhaps increase
the replay-window from the standard 32 to something higher (64? 2048?)
or if this is a high speed link within the same administrative boundary
where you are confident no one can send you spoofed/replayed packets,
you can set replay-window=0 to disable all replay detection.

Or, you need to investigate if there really is something malicious
happening :)


More information about the Swan mailing list