[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?
Noel Kuntze
noel at familie-kuntze.de
Mon Apr 21 22:46:49 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Bob,
Then just add the IP of the security gateway to the box on the first side of the sat link and set up an ipsec daemon there. Then create a route for the traffic over the sat link to the other side of it and do the same thing there. You also need to somehow get the states between the two distinct tunnels synchronised, so the first side doesn't notice you mitm the connection. You just need the authentication data (rsa key pair, passphrase, user/password pair, ...) and a fitting configuration of the targeted gateway to impersonate it.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 21.04.2014 21:20, schrieb Bob W:
>
> Hi Noel,
>
> Thanks for the response. I think getting the packets off the wire is
> the easy part as well as running the decryption on the ESP. It is the
> key negotiation as you state which is the big challenge. I
>
> access to the end nodes to get the negotiated key would be nice and easy
> but not easily obtained.
>
> I am trying to be a trusted middle man in a network, specifically on the
> Sat links which are carrying ipsec ip traffic. to get better
> compression on the traffic, I would like to take the ip traffic out of
> ipsec tunnel on one side and put it back in the tunnel on the other side
> of the link.
>
> the boxes I have to do this would not be near the security gateway or
> end node per say.
>
> so really, it comes down to the key negotiation and as you say "actively
> impersonate a peer". so the question is how can you do that? is it
> possible if I have configuration data from the gateway alone? or do I
> need the identity proof from the end node as well?
>
> i am trying to work through the rfc... and ten million other things at
> the same time.
>
>
> Bob
>
>
>
> On 4/21/2014 12:11 PM, Noel Kuntze wrote:
>> What I forgot to mention: You need to actively impersonate a peer, because the keys are negotiated over DH with an identity proof (See RFC4 306).
>> That means you need the secrets of your side.
>>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTVYO5AAoJEDg5KY9j7GZYMA4P/i41bIxBaA4T1PaZt3wl+/f+
KrVWbuX+Jx8MzRU1JfUj6dmDukYRCYcQVZLVie1m7E8A0KdtWNyNBlsg5qzwmXvV
HR6IcF81D1sz+vwoLcV2xs/FeYELOSh5tdpkKH1FYZtN9djKeUlCksPw/vRWgC84
uyuftKwfuiy5N4Paft6utMW+qROFmjVBZVpRQCxlPlnastUvGeomSLRLsRDddxWQ
8wrXWBgHX1cmhlJc1ZTUxtUnWhBive9JEu+b2AWfTey93OSBd+a2KRGH3fKH/rKX
vcjq64DaTtzCU1Sb5ezGf5CvLyzsoYQH4JmRDB/7s6EX6GluuOACnBf0TZR/DeSu
QMbljsTrwC//ygDdLyc4Ypqoa7M8szv0TzGmzNLWrozYs57Cq2SkY6pQrESDeUFa
ghNA5gBy03/WnXf3QqTisSo/3TUsmi+kToI9XJ6+8M2WRLdLgEwNrqkQyBeB2v03
trRAT9VL3Nl6/VF0QVHRDmew25jerV6eSrMEj38lGc02Pttg67NRqk/Y7UDJiZ1U
40Qg49qXnyDqs7tT8PwbYlCvRzB0ocsvvz+q87pF+MPILYKLFmYJ7/nrxO5Qxu6h
36QEt5kfhWiz9Ate3mirLunLsV0sGAUjHoU8K3+2SWfG/rRytEWwA34ft86Y66Sj
jNUTrHXjt5qHVj9LSuX0
=HwRH
-----END PGP SIGNATURE-----
More information about the Users
mailing list