[strongSwan] newbie question: Win7-StrongSwan: ESP confidentiality is None while on Linux box it looks fine
Alexander Lyakas
alex.bolshoy at gmail.com
Thu Mar 1 18:41:55 CET 2012
Hi,
I believe I was looking at a wrong Snap-In.
I was looking at "IP Security Monitor", which I think exists only for
backward compatibility with W2K3 etc.
When checking the "monitoring" part of the "Windows Firewall with
Advanced Security" Snap-In, everything shows correctly.
Does this make sense?
Alex.
On Thu, Mar 1, 2012 at 11:06 AM, Alexander Lyakas
<alex.bolshoy at gmail.com> wrote:
> Sorry about forgetting to put the subject, resending with subject...
>
> On Thu, Mar 1, 2012 at 11:02 AM, Alexander Lyakas
> <alex.bolshoy at gmail.com> wrote:
>> Greetings everybody,
>> I am trying to setup a basic client-to-server secured connection with
>> ESP in transport mode. The server is ubuntu-natty 2.6.38-8 with stock
>> strongswan package 4.5.0. The server is using pre-shared keys. On the
>> server I am using IKEv1 only at this point. The client is a Win7 box.
>> It is configured using Windows Firewall Advanced Snap-In to always
>> require encryption.
>>
>> Everything seems to work more or less as expected. However, when the
>> IPSec SA is established, in Win7 IP Security Monitor, I see that "ESP
>> confidentiality" is "None". When running "setkey -D" on the Linux box
>> I can see the encryption is enabled on the SAs:
>>
>> root at vc-0-0-10-03--109-dev:~# setkey -D
>> 172.16.0.158 172.16.4.10
>> esp mode=transport spi=1217668046(0x489423ce) reqid=16392(0x00004008)
>> E: aes-cbc 58ebcc39 10ecd799 6c784631 261cbeda
>> A: hmac-sha1 a0819356 2c08386c c7cb56cc caba9da2 0e7f04e5
>> seq=0x00000000 replay=32 flags=0x00000000 state=mature
>> created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012
>> diff: 5(s) hard: 0(s) soft: 0(s)
>> last: Feb 16 12:41:39 2012 hard: 0(s) soft: 0(s)
>> current: 52(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 2 hard: 0 soft: 0
>> sadb_seq=1 pid=1790 refcnt=0
>> 172.16.4.10 172.16.0.158
>> esp mode=transport spi=3274301888(0xc329e1c0) reqid=16392(0x00004008)
>> E: aes-cbc c915c917 26a25072 02d0d950 05f2d31d
>> A: hmac-sha1 1bb2124c 52265cc0 263098f2 c2cd2880 e3fefbfd
>> seq=0x00000000 replay=32 flags=0x00000000 state=mature
>> created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012
>> diff: 5(s) hard: 0(s) soft: 0(s)
>> last: Feb 16 12:41:36 2012 hard: 0(s) soft: 0(s)
>> current: 244(bytes) hard: 0(bytes) soft: 0(bytes)
>> allocated: 4 hard: 0 soft: 0
>> sadb_seq=0 pid=1790 refcnt=0
>>
>> How can I verify that encryption is really effective? I was trying to
>> use Wireshark to capture the traffic, and indeed I see ESP packets
>> there, but still not sure at this point.
>> I am also posting my server ipsec.conf, please let me know if it makes sense.
>> Thanks!
>>
>> config setup
>> charonstart=no
>> plutostart=yes
>> strictcrlpolicy=no
>> uniqueids=yes
>> crlcheckinterval=0s
>> nocrsend=no
>> plutodebug="control lifecycle dns oppo controlmore natt"
>> postpluto=
>> prepluto=
>>
>> conn client
>> auth=esp
>> authby=psk # rsasig, for IKEv2 use leftauth
>> auto=start # We need to start all connections, for those peers that
>> don't support DPD
>> dpdaction=clear # For those peers that support DPD, we expect them to
>> reconnect, so we drop their connections
>> dpddelay=30s
>> dpdtimeout=30s # IKEv1 only
>> esp=aes128-sha1 # Add more as needed
>> ike=aes128-sha1-modp1024 # Add more as needed
>> ikelifetime=3h
>> installpolicy=yes
>> keyexchange=ikev1 # (for outgoing connection only)
>> keyingtries=1 # We should not retry, the client should
>> lifetime=1h
>> margintime=9m
>> pfs=no
>> pfsgroup= # For IKEv1 only
>> reauth=yes # Relevant only for IKEv2
>> rekey=no # Do not initiate rekeying
>> type=transport
>> # LEFT server
>> left=172.16.0.158
>> leftallowany=no
>> leftauth= # For IKEv2 only
>> leftprotoport=tcp
>> # RIGHT - client
>> right=172.16.4.10
>> rightallowany=no
>> rightauth= # For IKEv2 only
>> rightprotoport=tcp
More information about the Users
mailing list