[strongSwan] null ciphering in stronswan and non-root execution of ipsec status
Martin Willi
martin at strongswan.org
Tue Nov 27 09:28:44 CET 2012
Hi Zhiheng,
> I have a sniffing and debugging need to examine the packets over the
> wire. Does strongswan 5.0.1 support null ciphering? If yes, how can I
> configure it?
You can use a NULL cipher in ESP packets by using the "null" encryption
algorithm in the "esp" ipsec.conf keyword. NULL encryption in IKE
packets is not supported, as it is considered insecure.
> When checking the status, I need to be root in order to run the
> command ipsec status. Would it be possible to run this status command
> without being the root? I understand that the many options to the
> ipsec command require root privilege, but is there a way to do the
> status only as a normal user?
The charon daemon can drop most of its capabilities and switch to a
non-root user, see [1]. The Unix socket at /var/run/charon.ctl is set up
with permissions for the same user. Alternatively, you can run charon as
root, but change socket permissions just after startup to use it with a
different user.
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/ReducedPrivileges
More information about the Users
mailing list