On Mon, 26 Nov 2018, Ted Toth wrote:
On a RHEL7 system running selinux-policy-mls and labeled ipsec I'm seeing a lot of MAC_IPSEC_EVENT messages in the audit log with op=SA-replayed-pkt. These look worrying to me but I have been able to find out much about what they are actually telling me can anyone help me out? Should I be worried?
(sorry for the late reply) That looks like you are seeing retransmitted packets. Each IPsec packet has a sequence number. The IPsec SA has a "replay window" within in which store/keep packets that arrived out of order. Outside that window, it will drop the packet. One possibility is that the error for a replayed packet that is dropped (actually receiving the same packet twice within the replay window) is the same audit event as a packet arriving outside the replay window for which we can no longer determine if it was a duplicate. If this is happening on high speed links (gbps) then perhaps increase the replay-window from the standard 32 to something higher (64? 2048?) or if this is a high speed link within the same administrative boundary where you are confident no one can send you spoofed/replayed packets, you can set replay-window=0 to disable all replay detection. Or, you need to investigate if there really is something malicious happening :) Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
