[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Bob W bob.news at non-elite.com
Thu Apr 24 16:40:37 CEST 2014

Thanks everyone(David, Martin, Noel, JC) for the responses... looks like
I have some homework to do.


On 4/24/2014 3:33 AM, Dahlberg, David wrote:
> Am Mittwoch, den 23.04.2014, 16:17 -0500 schrieb Bob W:
>> so question is if I have the Security Association (SA) info, like
>> source/dest ip, and security param index (SPI) , the encrypt algro's
>> and
>> keys, I should be able to decode and then re-encode the packets,
>> right?
> Decode: yes.
> Encode: Probably. I have not tried it though.
> Be aware that depending on the cipher/mode you probably may or may not
> mingle with single packets on their own. In any case you have to check 
> /very/ carefully not to destroy any of their cryptographic properties.
> So if you really want to modify the streams it would probably be easier
> for you to just terminate the IPsec at the middle box.
>> question is the keys for the ESP/AH ...  are they static?
> The keys for one ESP/AH SA are static. But SAs may be exchanged during
> one communication.
>> if so, where
>> are they in the Security gateway.. if they are dynamic(change from
>> time
>> to time), where are they in the security gateway?
> If the security gateway is a Linux box, try "ip xfrm state show". If it
> is a BSD, try "ipsecctl -p". If it is a Cisco, the only way I know of is
> to dump the memory and extract it the hard way.
> OpenBSD has even a "sasyncd" who's whole purpose it is to synchronize
> this data (the SADs) to failover gateways.
>>   and the dynamic ones,
>> how are they changing?? is that a function of the IPsec IKEv2 stuff?
> This is indeed one of the main reason reasons for "the IKE stuff". If
> you want only fixed algorithms and never-changing pre-shared keys,
> between known hosts, you may key the ESP manually.
> Actually this "IKE stuff" is usually all that the "IPsec daemons"
> like StronSWAN/charon, racoon, isakmpd, iked and whatnots do.
> After the keys and parameters are negotiated, they are fed into the OS
> kernel which will then do the transformation (en-/decapsulation,
> en-/decryption, signing/verifying) of the actual user traffic.
> Cheers,
> 	David

More information about the Users mailing list