[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?
Noel Kuntze
noel at familie-kuntze.de
Mon Apr 21 19:09:49 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello bob,
If you look at the packet flow graph[1] of the netfilter part of the Linux kernel, you can see
that you can indeed do that with the nat table in the FORWARD queue.
You can listen for xfrm events on the security gateway, if it's running linux, similiar to what iproute does.
Look at the part of the source handling "ip xfrm monitor".
I think the easiest way to do what you want, is the set up the trusted MITM just literally next to the box terminating the tunnel and send
the new negotiated keys to your trusted MITM over USB/serial/ssh(?)/other protocols. The trusted MITM then just does something like wireshark does with esp traffic.
Regards,
Noel Kuntze
[1] http://inai.de/images/nf-packet-flow.png
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.04.2014 18:41, schrieb Bob W:
> Hi all,
>
> please redirect me to a better list if this is not the right place to
> ask the question.
>
> Does anyone know of a product which would allow me to sit on the ip
> links in bridge mode(using Linux) and become a "Trusted" man in the
> middle? Is it even possibly to be a Trusted man in the middle of an
> ipsec connection if you know the pass phases, configurations, etc that
> are configured in the gateway.
>
> By trusted, I mean that the linux box would be operated by the same
> folks managing the IPsec connections, so there would be access to the
> pass phrases, configurations, etc. of the security gateway.
>
> I need access to the ip traffic which is using ipsec ike v2 tunnel mode.
> I dont want to have to reconfigure the network. I know that Wireshark
> can do some of this, for example in the ESP protocol settings.
>
> What information would be needed from the Security gateway specifically
> to be able to accomplish something like this? Can the ike v2 messaging
> be watched constantly to see the negotiated pass phases that are used to
> encrypt the tunnel packets?
>
>
> sorry, i'm a bit new to the IPsec stuff, so please excuse the newbie.
>
>
> thanks
>
> Bob
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTVVDdAAoJEDg5KY9j7GZYHb4P/AkoS7mhW8GrbhkywlnPvWL3
f4r3I2z2tqbZDFCCkinD04eVVxYNRBSlVN4QkpBh7oMFojGCMUYZJV2ezJ6THljw
4IyU8JigXJ7l+TBi8ka2UD9Lc+jR6JV9a4ia1Lh5Yl/gEevDM2mNUCmUSRMocPvI
xEqLjwLM4DUd+MRwDVLVqtLafwOM7TPRVYEYlSzcNV5kCkvBlm5QOpvCYfT4WL85
47pDVG5Q+pAH5c4kEW8ASs3248BmNZ/kxKDsA2Kg3KrXOiGW8YVln2lxVhAxfmKv
qudrZeDKpAL1cZDiaOmU51p6F/27YL+2lsxeOIBQNSGTBU1DgH72ar4bF69igFZY
FiZ3h869wr3ifkXoAPa9wOgoN86u8z+gqpxARsQ6hnXeTvpMGxE8YZGA9uRUtitB
XMoQAsOip0zTgiQsquI0TYgxBFlWlPy+E9DXn7MrBNVCa6ijVVUuBhBpxoqi0Vw8
67AYIoV7V5qzRz8oF1voqxtBE3vBtue8DiNRRUvqYTFmeGxwdJ946u7UW+9ChXxK
Aw6qMKYKX5B1ovwz4BwX2WhVL478z7HMuu+pwWlFkHH/TWQ5Zw9Dnve2D2+t6TjZ
m4Dfy4vkKN0nt7and64xGVE4+gjsyb0QTuOkxarIdbY5u7LHZdvFYUWdraTY2qyw
cB9WPV4GjcMV3NcC0Xtz
=2WKb
-----END PGP SIGNATURE-----
More information about the Users
mailing list