[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Bob W bob.news at non-elite.com
Mon Apr 21 21:20:42 CEST 2014

Hi Noel,

  Thanks for the response.  I think getting the packets off the wire is
the easy part as well as running the decryption on the ESP.  It is the
key negotiation as you state which is the big challenge.  I

access to the end nodes to get the negotiated key would be nice and easy
but not easily obtained.

I am trying to be a trusted middle man in a network, specifically on the
Sat links which are carrying ipsec ip traffic.  to get better
compression on the traffic, I would like to take the ip traffic out of
ipsec tunnel on one side and put it back in the tunnel on the other side
of the link.

the boxes I have to do this would not be near the security gateway or
end node per say.

so really, it comes down to the key negotiation and as you say "actively
impersonate a peer".   so the question is how can you do that? is it
possible if I have configuration data from the gateway alone?  or do I
need the identity proof from the end node as well?

i am trying to work through the rfc... and ten million other things at
the same time.


On 4/21/2014 12:11 PM, Noel Kuntze wrote:
> What I forgot to mention: You need to actively impersonate a peer, because the keys are negotiated over DH with an identity proof (See RFC4 306).
> That means you need the secrets of your side.

More information about the Users mailing list