The VPN gateway must enable anti-replay for all IPSec security associations.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-30956	NET-VPN-180	SV-40998r1_rule	ECSC-1	Medium

Description
Replay attack is a type of injection attack when an IPSec packet is captured by an attacker and re-inserts it into the legitimate flow to disrupt service or create undesired behavior. IPSec anti-replay service can mitigate a replay attack by running sequence numbers for each end of the tunnel and incrementing it for each packet sent. If a packet that is received does not have the expected sequence number, it is dropped.

Description

Replay attack is a type of injection attack when an IPSec packet is captured by an attacker and re-inserts it into the legitimate flow to disrupt service or create undesired behavior. IPSec anti-replay service can mitigate a replay attack by running sequence numbers for each end of the tunnel and incrementing it for each packet sent. If a packet that is received does not have the expected sequence number, it is dropped.

STIG	Date
IPSec VPN Gateway Security Technical Implementation Guide	2018-11-27

Details

Check Text ( C-39616r1_chk )
Review all IPSec Security Associations configured globally or within IPSec profiles on the VPN gateway and determine if anti-replay is enabled. If anti-replay is not configured, determine if the feature is enabled by default.

Fix Text (F-34766r2_fix)
Enable anti-replay on all IPSec security associations either within IPSec profiles or as a global command.