UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The VPN gateway must enable anti-replay for all IPSec security associations.


Overview

Finding ID Version Rule ID IA Controls Severity
V-30956 NET-VPN-180 SV-40998r1_rule ECSC-1 Medium
Description
Replay attack is a type of injection attack when an IPSec packet is captured by an attacker and re-inserts it into the legitimate flow to disrupt service or create undesired behavior. IPSec anti-replay service can mitigate a replay attack by running sequence numbers for each end of the tunnel and incrementing it for each packet sent. If a packet that is received does not have the expected sequence number, it is dropped.
STIG Date
IPSec VPN Gateway Security Technical Implementation Guide 2016-09-28

Details

Check Text ( C-39616r1_chk )
Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and determine if anti-replay is enabled. If anti-replay is not configured, determine if the feature is enabled by default.
Fix Text (F-34766r2_fix)
Enable anti-replay on all IPSec security associations either within IPSec profiles or as a global command.