To set the vpn tunnel with ESP replay checks, you need to configure the following command under your phase2 definitions.
set replay enable
What this does; " is to set the ESP anti-replay window to a default size of 1024 bytes ". The default is for the esp-replay to be disabled.
By using the diag vpn tunnel list commands, you can validate if the window is set.
( enabled )
TIP: To get an ideal of what happens when replay has taken place, use a program like tcpreplay to re-inject capture ESP from a packet dump and check your vpn-ipsec logs.
Most modern firewall have a means to enable and set the size of the window, but the fortigate does not give you this option that I'm aware of.
By monitoring the sequence numbers ( seqno= ) and using a capture techniques, you can determine if a ESP replay attack is underway.
(A example of monitoring w/ESP-seq#s & tshark )
tshark -n -tad -i eth0 -T Fields -e esp.sequence -e frame.time
You can take this information and place this received/sent sequence# into a graph to discover anomalies. For all packets sent or received, the sequence number should increment by one if traffic was encrypted or decrypted.
Freelance Network/Security Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( # # )=