[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?
Noel Kuntze
noel at familie-kuntze.de
Mon Apr 21 19:11:08 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
What I forgot to mention: You need to actively impersonate a peer, because the keys are negotiated over DH with an identity proof (See RFC4 306).
That means you need the secrets of your side.
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.04.2014 18:41, schrieb Bob W:
> Hi all,
>
> please redirect me to a better list if this is not the right place to
> ask the question.
>
> Does anyone know of a product which would allow me to sit on the ip
> links in bridge mode(using Linux) and become a "Trusted" man in the
> middle? Is it even possibly to be a Trusted man in the middle of an
> ipsec connection if you know the pass phases, configurations, etc that
> are configured in the gateway.
>
> By trusted, I mean that the linux box would be operated by the same
> folks managing the IPsec connections, so there would be access to the
> pass phrases, configurations, etc. of the security gateway.
>
> I need access to the ip traffic which is using ipsec ike v2 tunnel mode.
> I dont want to have to reconfigure the network. I know that Wireshark
> can do some of this, for example in the ESP protocol settings.
>
> What information would be needed from the Security gateway specifically
> to be able to accomplish something like this? Can the ike v2 messaging
> be watched constantly to see the negotiated pass phases that are used to
> encrypt the tunnel packets?
>
>
> sorry, i'm a bit new to the IPsec stuff, so please excuse the newbie.
>
>
> thanks
>
> Bob
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTVVEsAAoJEDg5KY9j7GZY6BQP/jsMKBiDWQKWuE31VDmZ2AN6
A1EQHjRryQNDqFReeXCrcNbkjvNRWYgMrqLc89/NvggWZfGve06BzWkPcgQ0Ezfv
OdKwdTCPUDS2N53UtquMA67NphfB7jUG5YD1Jwk8Ur+YVZAr/hZYiHNM0YOhiSGy
plqqUOlMNjC7Ln0NnyyPodeKvXRm9/c0R1/pHS59gCjc5M6uXdnAiuhSx9Ze3vCk
o/G6vJTKuFGl6XvJ18SJwu9MVSAVPZws74rvyK/0Zyv2W5q/azH9TWemIdy3pklV
IrF00S9JhnDGIvYsEGUKrqvV6H8xRQdKZ0qaH1Ch+CLACuczpRfyvxCJAZEenQGz
rrYtsEyCG4r6k/5KgZTa3nkvQ14xM5E+9HY6jBkaR1QgDSyffj98tWNkZ4nWxOjM
8ah9IaOgsq7SldjS+Ktbc4daipcUVF/HmliU3qWhoCd7ORw9JijFzpemnDMCYgym
yIThYKCp8VBrBgHM2PEvWQz/AvBOnY47xuoblPnYm65UySDXuMH/wGzgIbQJHeZh
2dmmeUHed9JgN8VDjB/wVZHN2wQOF5K8lvZzl1YdXnfwqPLk1HlPfr0qWWosSt0I
cZVmxTFyDxygd34hYK1LjM2mC2zWtzseZHIi0py+eAUh/QnOH3eqBvA0a+zKYsWF
tNQZ2nWfriHs0wRLVTIv
=T4ma
-----END PGP SIGNATURE-----
More information about the Users
mailing list