[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?
Noel Kuntze
noel at familie-kuntze.de
Thu Apr 24 17:33:48 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello Bob,
In one of the first messages, you wrote, you wanted to compress the traffic.
Why don't you just use the built in compression of IPsec?
Just set compress=yes in the configuration and if the other peer supports it, the traffic will be compressed.
Regards,
Noel Kuntze
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 24.04.2014 16:40, schrieb Bob W:
>
> Thanks everyone(David, Martin, Noel, JC) for the responses... looks like
> I have some homework to do.
>
> Bob
>
>
>
> On 4/24/2014 3:33 AM, Dahlberg, David wrote:
>> Am Mittwoch, den 23.04.2014, 16:17 -0500 schrieb Bob W:
>>> so question is if I have the Security Association (SA) info, like
>>> source/dest ip, and security param index (SPI) , the encrypt algro's
>>> and
>>> keys, I should be able to decode and then re-encode the packets,
>>> right?
>>
>> Decode: yes.
>> Encode: Probably. I have not tried it though.
>>
>> Be aware that depending on the cipher/mode you probably may or may not
>> mingle with single packets on their own. In any case you have to check
>> /very/ carefully not to destroy any of their cryptographic properties.
>>
>> So if you really want to modify the streams it would probably be easier
>> for you to just terminate the IPsec at the middle box.
>>
>>> question is the keys for the ESP/AH ... are they static?
>>
>> The keys for one ESP/AH SA are static. But SAs may be exchanged during
>> one communication.
>>
>>> if so, where
>>> are they in the Security gateway.. if they are dynamic(change from
>>> time
>>> to time), where are they in the security gateway?
>>
>> If the security gateway is a Linux box, try "ip xfrm state show". If it
>> is a BSD, try "ipsecctl -p". If it is a Cisco, the only way I know of is
>> to dump the memory and extract it the hard way.
>>
>> OpenBSD has even a "sasyncd" who's whole purpose it is to synchronize
>> this data (the SADs) to failover gateways.
>>
>>> and the dynamic ones,
>>> how are they changing?? is that a function of the IPsec IKEv2 stuff?
>>
>> This is indeed one of the main reason reasons for "the IKE stuff". If
>> you want only fixed algorithms and never-changing pre-shared keys,
>> between known hosts, you may key the ESP manually.
>>
>> Actually this "IKE stuff" is usually all that the "IPsec daemons"
>> like StronSWAN/charon, racoon, isakmpd, iked and whatnots do.
>> After the keys and parameters are negotiated, they are fed into the OS
>> kernel which will then do the transformation (en-/decapsulation,
>> en-/decryption, signing/verifying) of the actual user traffic.
>>
>> Cheers,
>> David
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTWS7cAAoJEDg5KY9j7GZYYW4QAIoe50z8IL38Y+k6EcFENa2o
otar+gsx50iDOwRKfg4vTOjEg/7aBQwpvJ/bWDzrNhRYMz36MmVZV7FWnmas6b/5
SL9ZW3ymxFH33jI9MiJ9eQp4ykoX2tWOC53/ZT81UYc0aDZUZesaNLUzI/v5NWM/
+pn0Oet+qBtpulON2i8eozdrtilymf4e7fjWx3wPf3DmTf249ZovPycjw3H4IYFA
aapfhvzlpbKJGpkr3cxINm8JTy2Ew9ya2S3ojgda1F46y0IGjzQAocRtnIQ+mPHE
uO9ZaEQiwg84JFE8uUL1dxgtHJjMFkZfpZVLLNZbZSAZBRB94NHx1vju8ExNvfzh
9ScLshmpkTX5Ik8Q765pl9Zw66xA2UdumifdudARokOEkTnbL1/qSUp6g9uqz1Fe
fQA6iZsgvRgzNp9sD1xQDEpAaA98wmjbxySmCy3gl8G6QmaUaAI9N0mpZd2RFhVy
9r+dlT5mB0xRNsarnUjcL6mjFuxpZg9eUwG2qJQieDreb4026gu7ZyILKofbSubx
VOPsRvBLOkt++tEwptAHaavRXI5fVKh4Kw+rvGknboYZW3HGa89bt8CKS5TBQcn9
amvXqTvhOWohCyTMPz5rt3q1l8ufRMSqFidGVgBxHP9ePd4hijpTNq4HMpA9QA3t
XR5R/j56Dq0HLE99o1S/
=oYRs
-----END PGP SIGNATURE-----
More information about the Users
mailing list