[strongSwan] API to access keys used by IPsec
T C
tccheung1 at gmail.com
Wed Jun 22 20:17:28 CEST 2011
Hi Martin,
Sorry. To clarify some more, what I like to do is to use charon the IKEv2
daemon as is. I just want to
have access to the keys that were already negotiated by charon. I don't
want to use ipsec from
strongswan but want to have access to keys used by IPsec ESP protocol.
Sounds like ike_keys()/child_keys() you mentioned are the way to go. I'll
check them out.
Thanks,
Terry
On Wed, Jun 22, 2011 at 12:11 AM, Martin Willi <martin at strongswan.org>wrote:
> Hi Terry,
>
> > I have an encryption protocol that currently use pre-shared keys. I
> > would like to use charon from strongSwan to do the key exchange.
> > What's the API to access those keys used by IPsec? Also are those
> > keys in memory or in files? If in files, where are they?
>
> It's not really clear to me what you want to do. The IKEv2 protocol can
> use pre-shared keys to authenticate the peers. These keys are usually
> stored in the ipsec.secrets file, but other credential backends
> implementing the credential_set_t [1] interface can be used to query
> secrets.
>
> The actually used encryption keys are derived from a Diffie-Hellman
> exchange and other parameters. To intercept these keys programmatically,
> you could implement the ike_keys()/child_keys() hooks [2] in your own
> listener.
>
> Regards
> Martin
>
> [1]
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libstrongswan/credentials/credential_set.h;hb=HEAD#l83
> [2]
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libcharon/bus/listeners/listener.h;hb=HEAD#l105
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110622/ab184003/attachment.html>
More information about the Users
mailing list