[strongSwan] newbie question: Win7-StrongSwan: ESP confidentiality is None while on Linux box it looks fine
Alexander Lyakas
alex.bolshoy at gmail.com
Thu Feb 16 11:58:10 CET 2012
Greetings everybody,
I am trying to setup a basic client-to-server secured connection with
ESP in transport mode. The server is ubuntu-natty 2.6.38-8 with stock
strongswan package 4.5.0.
The server is in roadwarrior mode using pre-shared keys. (The idea is
configure the server only once, so that all clients can establish
IPSec to it). On the server I am using IKEv1 only at this point.
The client is a Win7 box. It is configured using Windows Firewall
Advanced Snap-In to always require encryption.
Everything seems to work more or less as expected. However, when the
IPSec SA is established, in Win7 IP Security Monitor, I see that "ESP
confidentiality" is "None". When running "setkey -D" on the Linux box
I can see the encryption is enabled on the SAs:
root at vc-0-0-10-03--109-dev:~# setkey -D
172.16.0.158 172.16.4.10
esp mode=transport spi=1217668046(0x489423ce) reqid=16392(0x00004008)
E: aes-cbc 58ebcc39 10ecd799 6c784631 261cbeda
A: hmac-sha1 a0819356 2c08386c c7cb56cc caba9da2 0e7f04e5
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012
diff: 5(s) hard: 0(s) soft: 0(s)
last: Feb 16 12:41:39 2012 hard: 0(s) soft: 0(s)
current: 52(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2 hard: 0 soft: 0
sadb_seq=1 pid=1790 refcnt=0
172.16.4.10 172.16.0.158
esp mode=transport spi=3274301888(0xc329e1c0) reqid=16392(0x00004008)
E: aes-cbc c915c917 26a25072 02d0d950 05f2d31d
A: hmac-sha1 1bb2124c 52265cc0 263098f2 c2cd2880 e3fefbfd
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012
diff: 5(s) hard: 0(s) soft: 0(s)
last: Feb 16 12:41:36 2012 hard: 0(s) soft: 0(s)
current: 244(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4 hard: 0 soft: 0
sadb_seq=0 pid=1790 refcnt=0
How can I verify that encryption is really effective? I was trying to
use Wireshark to capture the traffic, and indeed I see ESP packets
there, but still not sure at this point.
I am also posting my server ipsec.conf, please let me know if it makes sense.
Thanks!
config setup
charonstart=no
plutostart=yes
strictcrlpolicy=no
uniqueids=yes
crlcheckinterval=0s
nocrsend=no
plutodebug="control lifecycle dns oppo controlmore natt"
postpluto=
prepluto=
conn client
auth=esp
authby=psk # for IKEv2 use leftauth
auto=add
dpdaction=clear
dpddelay=30s
dpdtimeout=150s # IKEv1 only
esp=aes128-sha1 # Add more as needed
ike=aes128-sha1-modp1024 # Add more as needed
ikelifetime=3h
installpolicy=yes
keyexchange=ikev1 # (for outgoing connection only)
keyingtries=1 # We should not retry, the client should
lifetime=1h
margintime=9m
pfs=no
pfsgroup= # For IKEv1 only
reauth=yes
rekey=yes
type=transport
# LEFT - server
left=172.16.0.158
leftallowany=no
leftauth= # For IKEv2 only
leftprotoport=tcp
# RIGHT - client
right=%any
rightallowany=yes
rightauth= # For IKEv2 only
rightprotoport=tcp
More information about the Users
mailing list