Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Reasons to use "no-reply"?

    Posted 05-12-2009 02:17

    When reading ScreenOS VPN-related documentation "no-reply" seems to use quite a lot. However this is never explained in further detail.

    Why would one want to use no-reply except when one has to (e.g. manual keying and non-IKE keying)?


    Thanks in advance!

     

    Best regards,

    Tanel



  • 2.  RE: Reasons to use "no-reply"?

    Posted 05-13-2009 10:50

    Hi,

     

    I'm afraid your question isn't quite clear since nobody answered yet. Which no-reply are you refering to?



  • 3.  RE: Reasons to use "no-reply"?

    Posted 05-22-2009 07:20
    My bad, I was refering to the no-replay option.


  • 4.  RE: Reasons to use "no-reply"?
    Best Answer

    Posted 05-22-2009 07:35

    Hi,

     

    ESP/AH replay protection is used to prevent attacker from replaying old packets into the IPsec tunnel.

    It is implemented by not dropping ESP/AH packets that have sequence numbers older than last packet's sequence number - 32. 

     

    When no-replay is  set then tunnel will not be protected from replaying ESP/AH packets.

     

    You may want to set no-replay option when you have packet reordering in your network.

    For example due to QoS. 

     

    Hope this helps.

     

    Kind Regards,

    Nemanja



  • 5.  RE: Reasons to use "no-reply"?

    Posted 06-12-2009 00:45

    Great explanation, thanks! 🙂