[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?
Bob W
bob.news at non-elite.com
Thu Apr 24 16:40:37 CEST 2014
Thanks everyone(David, Martin, Noel, JC) for the responses... looks like
I have some homework to do.
Bob
On 4/24/2014 3:33 AM, Dahlberg, David wrote:
> Am Mittwoch, den 23.04.2014, 16:17 -0500 schrieb Bob W:
>> so question is if I have the Security Association (SA) info, like
>> source/dest ip, and security param index (SPI) , the encrypt algro's
>> and
>> keys, I should be able to decode and then re-encode the packets,
>> right?
>
> Decode: yes.
> Encode: Probably. I have not tried it though.
>
> Be aware that depending on the cipher/mode you probably may or may not
> mingle with single packets on their own. In any case you have to check
> /very/ carefully not to destroy any of their cryptographic properties.
>
> So if you really want to modify the streams it would probably be easier
> for you to just terminate the IPsec at the middle box.
>
>> question is the keys for the ESP/AH ... are they static?
>
> The keys for one ESP/AH SA are static. But SAs may be exchanged during
> one communication.
>
>> if so, where
>> are they in the Security gateway.. if they are dynamic(change from
>> time
>> to time), where are they in the security gateway?
>
> If the security gateway is a Linux box, try "ip xfrm state show". If it
> is a BSD, try "ipsecctl -p". If it is a Cisco, the only way I know of is
> to dump the memory and extract it the hard way.
>
> OpenBSD has even a "sasyncd" who's whole purpose it is to synchronize
> this data (the SADs) to failover gateways.
>
>> and the dynamic ones,
>> how are they changing?? is that a function of the IPsec IKEv2 stuff?
>
> This is indeed one of the main reason reasons for "the IKE stuff". If
> you want only fixed algorithms and never-changing pre-shared keys,
> between known hosts, you may key the ESP manually.
>
> Actually this "IKE stuff" is usually all that the "IPsec daemons"
> like StronSWAN/charon, racoon, isakmpd, iked and whatnots do.
> After the keys and parameters are negotiated, they are fed into the OS
> kernel which will then do the transformation (en-/decapsulation,
> en-/decryption, signing/verifying) of the actual user traffic.
>
> Cheers,
> David
>
More information about the Users
mailing list