[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Noel Kuntze noel at familie-kuntze.de
Mon Apr 21 22:46:49 CEST 2014

Hash: SHA1

Hello Bob,

Then just add the IP of the security gateway to the box on the first side of the sat link and set up an ipsec daemon there. Then create a route for the traffic over the sat link to the other side of it and do the same thing there. You also need to somehow get the states between the two distinct tunnels synchronised, so the first side doesn't notice you mitm the connection. You just need the authentication data (rsa key pair, passphrase, user/password pair, ...) and a fitting configuration of the targeted gateway to impersonate it.

Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 21.04.2014 21:20, schrieb Bob W:
> Hi Noel,
>   Thanks for the response.  I think getting the packets off the wire is
> the easy part as well as running the decryption on the ESP.  It is the
> key negotiation as you state which is the big challenge.  I
> access to the end nodes to get the negotiated key would be nice and easy
> but not easily obtained.
> I am trying to be a trusted middle man in a network, specifically on the
> Sat links which are carrying ipsec ip traffic.  to get better
> compression on the traffic, I would like to take the ip traffic out of
> ipsec tunnel on one side and put it back in the tunnel on the other side
> of the link.
> the boxes I have to do this would not be near the security gateway or
> end node per say.
> so really, it comes down to the key negotiation and as you say "actively
> impersonate a peer".   so the question is how can you do that? is it
> possible if I have configuration data from the gateway alone?  or do I
> need the identity proof from the end node as well?
> i am trying to work through the rfc... and ten million other things at
> the same time.
> Bob
> On 4/21/2014 12:11 PM, Noel Kuntze wrote:
>> What I forgot to mention: You need to actively impersonate a peer, because the keys are negotiated over DH with an identity proof (See RFC4 306).
>> That means you need the secrets of your side.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Users mailing list