[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Noel Kuntze noel at familie-kuntze.de
Mon Apr 21 19:09:49 CEST 2014

Hash: SHA1

Hello bob,

If you look at the packet flow graph[1] of the netfilter part of the Linux kernel, you can see 
that you can indeed do that with the nat table in the FORWARD queue.

You can listen for xfrm events on the security gateway, if it's running linux, similiar to what iproute does.
Look at the part of the source handling "ip xfrm monitor".

I think the easiest way to do what you want, is the set up the trusted MITM just literally next to the box terminating the tunnel and send 
the new negotiated keys to your trusted MITM over USB/serial/ssh(?)/other protocols. The trusted MITM then just does something like wireshark does with esp traffic.

Noel Kuntze

[1] http://inai.de/images/nf-packet-flow.png

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 21.04.2014 18:41, schrieb Bob W:
> Hi all,
>   please redirect me to a better list if this is not the right place to
> ask the question.
> Does anyone know of a product which would allow me to sit on the ip
> links in bridge mode(using Linux) and become a "Trusted" man in the
> middle?  Is it even possibly to be a Trusted man in the middle of an
> ipsec connection if you know the pass phases, configurations, etc that
> are configured in the gateway.
>    By trusted, I mean that the linux box would be operated by the same
> folks managing the IPsec connections, so there would be access to the
> pass phrases, configurations, etc. of the security gateway.
> I need access to the ip traffic which is using ipsec ike v2 tunnel mode.
>  I dont want to have to reconfigure the network.  I know that Wireshark
> can do some of this, for example in the ESP protocol settings.
> What information would be needed from the Security gateway specifically
> to be able to accomplish something like this? Can the ike v2 messaging
> be watched constantly to see the negotiated pass phases that are used to
> encrypt the tunnel packets?
> sorry, i'm a bit new to the IPsec stuff, so please excuse the newbie.
> thanks
> Bob
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Users mailing list