[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Bob W bob.news at non-elite.com
Wed Apr 23 23:17:30 CEST 2014

ok, trying to do more reading before asking the dumb questions but will
go ahead anyways.

The interface over the Sat links is a telcom interface.. specifically
the Iuh interface in a 3g network  (nodeB to Gateway interface).  the
spec (3gpp TS 33.210) says it uses IPsec IKEv2 tunnel mode.

so for the the traffic I am trying to see, I need to concern myself with
just the ESP and Auth Headers.   not so much the IPsec IKEv2 protocol

so question is if I have the Security Association (SA) info, like
source/dest ip, and security param index (SPI) , the encrypt algro's and
keys, I should be able to decode and then re-encode the packets, right?

question is the keys for the ESP/AH ...  are they static? if so, where
are they in the Security gateway.. if they are dynamic(change from time
to time), where are they in the security gateway?  and the dynamic ones,
how are they changing?? is that a function of the IPsec IKEv2 stuff?

sorry for the newbie understanding...


On 4/21/2014 3:19 PM, Jakob Curdes wrote:
> Am 21.04.2014 18:41, schrieb Bob W:
>> Hi all,
>>    please redirect me to a better list if this is not the right place to
>> ask the question.
>> Does anyone know of a product which would allow me to sit on the ip
>> links in bridge mode(using Linux) and become a "Trusted" man in the
>> middle?  Is it even possibly to be a Trusted man in the middle of an
>> ipsec connection if you know the pass phases, configurations, etc that
>> are configured in the gateway.
> IPSec has been designed to avoid that this is possible. Even if you know
> the credentials etc. you cannot play man in the middle without breaking
> the connection.
> You will need to reconfigure the connections themselves to achieve what
> you want, even if you have all the information that the peers have.
> JC
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list