[strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA

Andreas Steffen andreas.steffen at strongswan.org
Wed Mar 31 07:44:22 CEST 2010 

Did you define any loggers in strongswan.conf which would replace
the defaults defined by ipsec.conf:

http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

Regards

Andreas

Aaron Zhang wrote:
> Hi,Steffen,
> 
> Yes, I put the charondebug directive in the "config setup" section of ipsec.conf.
> And I input the command 
> 
> ipsec restart
> 
> I believe this command will restart the Charon daemon. But there are not any result.
> I doubt I should load some plugins?
> 
> 
> --Aaron
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
> Sent: 2010年3月31日 13:18
> To: Aaron Zhang
> Cc: dev at lists.strongswan.org
> Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
> 
> Hi Aaron,
> 
> did you put the charondebug directive into the
> "config setup" section of ipsec.conf as in the following example
> 
> http://www.strongswan.org/uml/testresults43/ikev2/alg-blowfish/moon.ipsec.conf
> 
> and did you restart the charon daemon?
> 
> Andreas
> 
> Aaron Zhang wrote:
>> Thanks. I got it now.
>> But I have another question. With the ipsec.conf setting 
>>  
>> 	charondebug="ike 4"
>> .There still has not any debug information in /var/log/secure.
>>
>> Only use the command
>> ipsec stroke loglevel ike 4
>>
>> There has debug information in /var/log/secure.
>>
>> Anything I missed?
>>
>> --Aaron
>>
>> -----Original Message-----
>> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
>> Sent: 2010年3月31日 13:05
>> To: Aaron Zhang
>> Cc: dev at lists.strongswan.org
>> Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
>>
>> Hi Aaron,
>>
>> with the ipsec.conf setting
>>
>>   charondebug="ike 4"
>>
>> SK_ei, SK_er, SK_ai, SK_ar are written to the log.
>> As an alternative the command
>>
>>   ipsec stroke loglevel ike 4
>>
>> achieves the same when the charon daemon is already running.
>>
>> Best regards
>>
>> Andreas
>>
>> Aaron Zhang wrote:
>>> Hi all.
>>>
>>>  
>>>
>>> Are there any ways to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
>>> which are useful to decrypt the IKE_AUTH packet with wireshark.
>>>
>>> I set the debug as 4 for all debug type. But there are not such information.
>>>
>>>  
>>>
>>> thanks
>>>
>>>   -Aaron

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20100331/48372b1f/attachment.bin>

More information about the Dev mailing list