Monday, February 2, 2015

ESP replay window enabling & disable Fortigate

To  set the vpn tunnel with ESP replay checks, you need to configure the following command under your phase2 definitions.

set replay enable

What this does; "  is to set the ESP anti-replay window to a default size of 1024 bytes ". The default is for the  esp-replay to be disabled.

By using the diag vpn tunnel list commands, you can validate if the window is set.

( enabled )

( disabled )

TIP: To get an ideal of what happens when replay has taken place, use a program like tcpreplay to re-inject  capture ESP  from a packet dump  and check your vpn-ipsec logs.

Most modern firewall have a means to enable and set the size of the window, but the fortigate does not give you this option that I'm aware of.

By monitoring the  sequence numbers ( seqno= ) and using a capture techniques, you can determine if a ESP replay attack is underway.

(A example of monitoring w/ESP-seq#s &  tshark )

tshark -n -tad -i eth0 -T Fields -e esp.sequence -e frame.time 

You can take this information and place this received/sent  sequence# into a graph to discover anomalies. For all packets sent or received, the sequence number should increment by one if traffic was encrypted or decrypted.

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( #  # )=
      /   \

No comments:

Post a Comment