[strongSwan] newbie question: Win7-StrongSwan: ESP confidentiality is None while on Linux box it looks fine

Alexander Lyakas alex.bolshoy at gmail.com
Thu Mar 1 18:41:55 CET 2012


Hi,
I believe I was looking at a wrong Snap-In.
I was looking at "IP Security Monitor", which I think exists only for
backward compatibility with W2K3 etc.
When checking the "monitoring" part of the "Windows Firewall with
Advanced Security" Snap-In, everything shows correctly.
Does this make sense?

Alex.


On Thu, Mar 1, 2012 at 11:06 AM, Alexander Lyakas
<alex.bolshoy at gmail.com> wrote:
> Sorry about forgetting to put the subject, resending with subject...
>
> On Thu, Mar 1, 2012 at 11:02 AM, Alexander Lyakas
> <alex.bolshoy at gmail.com> wrote:
>> Greetings everybody,
>> I am trying to setup a basic client-to-server secured connection with
>> ESP in transport mode. The server is ubuntu-natty 2.6.38-8 with stock
>> strongswan package 4.5.0. The server is using pre-shared keys. On the
>> server I am using IKEv1 only at this point. The client is a Win7 box.
>> It is configured using Windows Firewall Advanced Snap-In to always
>> require encryption.
>>
>> Everything seems to work more or less as expected. However, when the
>> IPSec SA is established, in Win7 IP Security Monitor, I see that "ESP
>> confidentiality" is "None". When running "setkey -D" on the Linux box
>> I can see the encryption is enabled on the SAs:
>>
>> root at vc-0-0-10-03--109-dev:~# setkey -D
>> 172.16.0.158 172.16.4.10
>>       esp mode=transport spi=1217668046(0x489423ce) reqid=16392(0x00004008)
>>       E: aes-cbc  58ebcc39 10ecd799 6c784631 261cbeda
>>       A: hmac-sha1  a0819356 2c08386c c7cb56cc caba9da2 0e7f04e5
>>       seq=0x00000000 replay=32 flags=0x00000000 state=mature
>>       created: Feb 16 12:41:36 2012   current: Feb 16 12:41:41 2012
>>       diff: 5(s)      hard: 0(s)      soft: 0(s)
>>       last: Feb 16 12:41:39 2012      hard: 0(s)      soft: 0(s)
>>       current: 52(bytes)      hard: 0(bytes)  soft: 0(bytes)
>>       allocated: 2    hard: 0 soft: 0
>>       sadb_seq=1 pid=1790 refcnt=0
>> 172.16.4.10 172.16.0.158
>>       esp mode=transport spi=3274301888(0xc329e1c0) reqid=16392(0x00004008)
>>       E: aes-cbc  c915c917 26a25072 02d0d950 05f2d31d
>>       A: hmac-sha1  1bb2124c 52265cc0 263098f2 c2cd2880 e3fefbfd
>>       seq=0x00000000 replay=32 flags=0x00000000 state=mature
>>       created: Feb 16 12:41:36 2012   current: Feb 16 12:41:41 2012
>>       diff: 5(s)      hard: 0(s)      soft: 0(s)
>>       last: Feb 16 12:41:36 2012      hard: 0(s)      soft: 0(s)
>>       current: 244(bytes)     hard: 0(bytes)  soft: 0(bytes)
>>       allocated: 4    hard: 0 soft: 0
>>       sadb_seq=0 pid=1790 refcnt=0
>>
>> How can I verify that encryption is really effective? I was trying to
>> use Wireshark to capture the traffic, and indeed I see ESP packets
>> there, but still not sure at this point.
>> I am also posting my server ipsec.conf, please let me know if it makes sense.
>> Thanks!
>>
>> config setup
>>        charonstart=no
>>        plutostart=yes
>>        strictcrlpolicy=no
>>        uniqueids=yes
>>        crlcheckinterval=0s
>>        nocrsend=no
>>        plutodebug="control lifecycle dns oppo controlmore natt"
>>        postpluto=
>>        prepluto=
>>
>> conn client
>>        auth=esp
>>        authby=psk # rsasig, for IKEv2 use leftauth
>>        auto=start # We need to start all connections, for those peers that
>> don't support DPD
>>        dpdaction=clear # For those peers that support DPD, we expect them to
>> reconnect, so we drop their connections
>>        dpddelay=30s
>>        dpdtimeout=30s # IKEv1 only
>>        esp=aes128-sha1 # Add more as needed
>>        ike=aes128-sha1-modp1024 # Add more as needed
>>        ikelifetime=3h
>>        installpolicy=yes
>>        keyexchange=ikev1 # (for outgoing connection only)
>>        keyingtries=1 # We should not retry, the client should
>>        lifetime=1h
>>        margintime=9m
>>        pfs=no
>>        pfsgroup= # For IKEv1 only
>>        reauth=yes # Relevant only for IKEv2
>>        rekey=no # Do not initiate rekeying
>>        type=transport
>>        # LEFT server
>>        left=172.16.0.158
>>        leftallowany=no
>>        leftauth= # For IKEv2 only
>>        leftprotoport=tcp
>>        # RIGHT - client
>>        right=172.16.4.10
>>        rightallowany=no
>>        rightauth= # For IKEv2 only
>>        rightprotoport=tcp




More information about the Users mailing list