[strongSwan] newbie question: Win7-StrongSwan: ESP confidentiality is None while on Linux box it looks fine
Alexander Lyakas
alex.bolshoy at gmail.com
Thu Mar 1 10:06:02 CET 2012
Sorry about forgetting to put the subject, resending with subject...
On Thu, Mar 1, 2012 at 11:02 AM, Alexander Lyakas
<alex.bolshoy at gmail.com> wrote:
> Greetings everybody,
> I am trying to setup a basic client-to-server secured connection with
> ESP in transport mode. The server is ubuntu-natty 2.6.38-8 with stock
> strongswan package 4.5.0. The server is using pre-shared keys. On the
> server I am using IKEv1 only at this point. The client is a Win7 box.
> It is configured using Windows Firewall Advanced Snap-In to always
> require encryption.
>
> Everything seems to work more or less as expected. However, when the
> IPSec SA is established, in Win7 IP Security Monitor, I see that "ESP
> confidentiality" is "None". When running "setkey -D" on the Linux box
> I can see the encryption is enabled on the SAs:
>
> root at vc-0-0-10-03--109-dev:~# setkey -D
> 172.16.0.158 172.16.4.10
> esp mode=transport spi=1217668046(0x489423ce) reqid=16392(0x00004008)
> E: aes-cbc 58ebcc39 10ecd799 6c784631 261cbeda
> A: hmac-sha1 a0819356 2c08386c c7cb56cc caba9da2 0e7f04e5
> seq=0x00000000 replay=32 flags=0x00000000 state=mature
> created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012
> diff: 5(s) hard: 0(s) soft: 0(s)
> last: Feb 16 12:41:39 2012 hard: 0(s) soft: 0(s)
> current: 52(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 2 hard: 0 soft: 0
> sadb_seq=1 pid=1790 refcnt=0
> 172.16.4.10 172.16.0.158
> esp mode=transport spi=3274301888(0xc329e1c0) reqid=16392(0x00004008)
> E: aes-cbc c915c917 26a25072 02d0d950 05f2d31d
> A: hmac-sha1 1bb2124c 52265cc0 263098f2 c2cd2880 e3fefbfd
> seq=0x00000000 replay=32 flags=0x00000000 state=mature
> created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012
> diff: 5(s) hard: 0(s) soft: 0(s)
> last: Feb 16 12:41:36 2012 hard: 0(s) soft: 0(s)
> current: 244(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 4 hard: 0 soft: 0
> sadb_seq=0 pid=1790 refcnt=0
>
> How can I verify that encryption is really effective? I was trying to
> use Wireshark to capture the traffic, and indeed I see ESP packets
> there, but still not sure at this point.
> I am also posting my server ipsec.conf, please let me know if it makes sense.
> Thanks!
>
> config setup
> charonstart=no
> plutostart=yes
> strictcrlpolicy=no
> uniqueids=yes
> crlcheckinterval=0s
> nocrsend=no
> plutodebug="control lifecycle dns oppo controlmore natt"
> postpluto=
> prepluto=
>
> conn client
> auth=esp
> authby=psk # rsasig, for IKEv2 use leftauth
> auto=start # We need to start all connections, for those peers that
> don't support DPD
> dpdaction=clear # For those peers that support DPD, we expect them to
> reconnect, so we drop their connections
> dpddelay=30s
> dpdtimeout=30s # IKEv1 only
> esp=aes128-sha1 # Add more as needed
> ike=aes128-sha1-modp1024 # Add more as needed
> ikelifetime=3h
> installpolicy=yes
> keyexchange=ikev1 # (for outgoing connection only)
> keyingtries=1 # We should not retry, the client should
> lifetime=1h
> margintime=9m
> pfs=no
> pfsgroup= # For IKEv1 only
> reauth=yes # Relevant only for IKEv2
> rekey=no # Do not initiate rekeying
> type=transport
> # LEFT server
> left=172.16.0.158
> leftallowany=no
> leftauth= # For IKEv2 only
> leftprotoport=tcp
> # RIGHT - client
> right=172.16.4.10
> rightallowany=no
> rightauth= # For IKEv2 only
> rightprotoport=tcp
More information about the Users
mailing list