[strongSwan] FW: Is that a security Issue?

Tobias Brunner tobias at strongswan.org
Tue Sep 21 09:25:48 CEST 2010

Hi Michalle,

> I have other question about this. Why it only happens when the ESP
> protects a Tunnel mode IP traffic.
> I have never seen that plain text under the transport model.

Yes, this only happens with tunnel mode.  I don't know the exact reason for it,
it's probably just a side effect of how tunnel mode is implemented in the kernel.

> And also does that means the the Linux Kernal knows the SA Key which
> established between Strongswan and my implementation, otherwise
> how it could decrypt the ESP packet.

That's exactly how it works.  All the IPsec traffic (ESP/AH) is directly handled
by the Linux kernel.  strongSwan just acts as a keying daemon that operates in
userland and writes the keys it establishes via IKE to the Linux kernel using
Netlink/XFRM or PF_KEY.  To see the SAs and keys that are currently configured
in the kernel you can also use the 'ip xfrm state' command.


More information about the Users mailing list