[strongSwan] newbie question: Win7-StrongSwan: ESP confidentiality is None while on Linux box it looks fine

Alexander Lyakas alex.bolshoy at gmail.com
Thu Feb 16 11:58:10 CET 2012 

Greetings everybody,
I am trying to setup a basic client-to-server secured connection with
ESP in transport mode. The server is ubuntu-natty 2.6.38-8 with stock
strongswan package 4.5.0.
The server is in roadwarrior mode using pre-shared keys. (The idea is
configure the server only once, so that all clients can establish
IPSec to it). On the server I am using IKEv1 only at this point.
The client is a Win7 box. It is configured using Windows Firewall
Advanced Snap-In to always require encryption.

Everything seems to work more or less as expected. However, when the
IPSec SA is established, in Win7 IP Security Monitor, I see that "ESP
confidentiality" is "None". When running "setkey -D" on the Linux box
I can see the encryption is enabled on the SAs:
root at vc-0-0-10-03--109-dev:~# setkey -D
172.16.0.158 172.16.4.10
        esp mode=transport spi=1217668046(0x489423ce) reqid=16392(0x00004008)
        E: aes-cbc  58ebcc39 10ecd799 6c784631 261cbeda
        A: hmac-sha1  a0819356 2c08386c c7cb56cc caba9da2 0e7f04e5
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Feb 16 12:41:36 2012   current: Feb 16 12:41:41 2012
        diff: 5(s)      hard: 0(s)      soft: 0(s)
        last: Feb 16 12:41:39 2012      hard: 0(s)      soft: 0(s)
        current: 52(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 2    hard: 0 soft: 0
        sadb_seq=1 pid=1790 refcnt=0
172.16.4.10 172.16.0.158
        esp mode=transport spi=3274301888(0xc329e1c0) reqid=16392(0x00004008)
        E: aes-cbc  c915c917 26a25072 02d0d950 05f2d31d
        A: hmac-sha1  1bb2124c 52265cc0 263098f2 c2cd2880 e3fefbfd
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Feb 16 12:41:36 2012   current: Feb 16 12:41:41 2012
        diff: 5(s)      hard: 0(s)      soft: 0(s)
        last: Feb 16 12:41:36 2012      hard: 0(s)      soft: 0(s)
        current: 244(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 4    hard: 0 soft: 0
        sadb_seq=0 pid=1790 refcnt=0

How can I verify that encryption is really effective? I was trying to
use Wireshark to capture the traffic, and indeed I see ESP packets
there, but still not sure at this point.
I am also posting my server ipsec.conf, please let me know if it makes sense.
Thanks!

config setup
        charonstart=no
        plutostart=yes
        strictcrlpolicy=no
        uniqueids=yes
        crlcheckinterval=0s
        nocrsend=no
        plutodebug="control lifecycle dns oppo controlmore natt"
        postpluto=
        prepluto=

conn client
        auth=esp
        authby=psk # for IKEv2 use leftauth
        auto=add
        dpdaction=clear
        dpddelay=30s
        dpdtimeout=150s # IKEv1 only
        esp=aes128-sha1 # Add more as needed
        ike=aes128-sha1-modp1024 # Add more as needed
        ikelifetime=3h
        installpolicy=yes
        keyexchange=ikev1 # (for outgoing connection only)
        keyingtries=1 # We should not retry, the client should
        lifetime=1h
        margintime=9m
        pfs=no
        pfsgroup= # For IKEv1 only
        reauth=yes
        rekey=yes
        type=transport
        # LEFT - server
        left=172.16.0.158
        leftallowany=no
        leftauth= # For IKEv2 only
        leftprotoport=tcp
        # RIGHT - client
        right=%any
        rightallowany=yes
        rightauth= # For IKEv2 only
        rightprotoport=tcp

More information about the Users mailing list