[strongSwan] null ciphering in stronswan and non-root execution of ipsec status

Martin Willi martin at strongswan.org
Tue Nov 27 09:28:44 CET 2012

Hi Zhiheng,

> I have a sniffing and debugging need to examine the packets over the
> wire. Does strongswan 5.0.1 support null ciphering?  If yes, how can I
> configure it?

You can use a NULL cipher in ESP packets by using the "null" encryption
algorithm in the "esp" ipsec.conf keyword. NULL encryption in IKE
packets is not supported, as it is considered insecure.

> When checking the status, I need to be root in order to run the
> command ipsec status. Would it be possible to run this status command
> without being the root? I understand that the many options to the
> ipsec command require root privilege, but is there a way to do the
> status only as a normal user?

The charon daemon can drop most of its capabilities and switch to a
non-root user, see [1]. The Unix socket at /var/run/charon.ctl is set up
with permissions for the same user. Alternatively, you can run charon as
root, but change socket permissions just after startup to use it with a
different user.



More information about the Users mailing list