[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Dahlberg, David david.dahlberg at fkie.fraunhofer.de
Thu Apr 24 10:33:45 CEST 2014

Am Mittwoch, den 23.04.2014, 16:17 -0500 schrieb Bob W:
> so question is if I have the Security Association (SA) info, like
> source/dest ip, and security param index (SPI) , the encrypt algro's
> and
> keys, I should be able to decode and then re-encode the packets,
> right?

Decode: yes.
Encode: Probably. I have not tried it though.

Be aware that depending on the cipher/mode you probably may or may not
mingle with single packets on their own. In any case you have to check 
/very/ carefully not to destroy any of their cryptographic properties.

So if you really want to modify the streams it would probably be easier
for you to just terminate the IPsec at the middle box.

> question is the keys for the ESP/AH ...  are they static?

The keys for one ESP/AH SA are static. But SAs may be exchanged during
one communication.

> if so, where
> are they in the Security gateway.. if they are dynamic(change from
> time
> to time), where are they in the security gateway?

If the security gateway is a Linux box, try "ip xfrm state show". If it
is a BSD, try "ipsecctl -p". If it is a Cisco, the only way I know of is
to dump the memory and extract it the hard way.

OpenBSD has even a "sasyncd" who's whole purpose it is to synchronize
this data (the SADs) to failover gateways.

>   and the dynamic ones,
> how are they changing?? is that a function of the IPsec IKEv2 stuff?

This is indeed one of the main reason reasons for "the IKE stuff". If
you want only fixed algorithms and never-changing pre-shared keys,
between known hosts, you may key the ESP manually.

Actually this "IKE stuff" is usually all that the "IPsec daemons"
like StronSWAN/charon, racoon, isakmpd, iked and whatnots do.
After the keys and parameters are negotiated, they are fed into the OS
kernel which will then do the transformation (en-/decapsulation,
en-/decryption, signing/verifying) of the actual user traffic.


David Dahlberg     

Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany        | Fax: +49-228-856277

More information about the Users mailing list