[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Noel Kuntze noel at familie-kuntze.de
Thu Apr 24 17:33:48 CEST 2014

Hash: SHA1

Hello Bob,
In one of the first messages, you wrote, you wanted to compress the traffic.
Why don't you just use the built in compression of IPsec?
Just set compress=yes in the configuration and if the other peer supports it, the traffic will be compressed.

Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 24.04.2014 16:40, schrieb Bob W:
> Thanks everyone(David, Martin, Noel, JC) for the responses... looks like
> I have some homework to do.
> Bob
> On 4/24/2014 3:33 AM, Dahlberg, David wrote:
>> Am Mittwoch, den 23.04.2014, 16:17 -0500 schrieb Bob W:
>>> so question is if I have the Security Association (SA) info, like
>>> source/dest ip, and security param index (SPI) , the encrypt algro's
>>> and
>>> keys, I should be able to decode and then re-encode the packets,
>>> right?
>> Decode: yes.
>> Encode: Probably. I have not tried it though.
>> Be aware that depending on the cipher/mode you probably may or may not
>> mingle with single packets on their own. In any case you have to check 
>> /very/ carefully not to destroy any of their cryptographic properties.
>> So if you really want to modify the streams it would probably be easier
>> for you to just terminate the IPsec at the middle box.
>>> question is the keys for the ESP/AH ...  are they static?
>> The keys for one ESP/AH SA are static. But SAs may be exchanged during
>> one communication.
>>> if so, where
>>> are they in the Security gateway.. if they are dynamic(change from
>>> time
>>> to time), where are they in the security gateway?
>> If the security gateway is a Linux box, try "ip xfrm state show". If it
>> is a BSD, try "ipsecctl -p". If it is a Cisco, the only way I know of is
>> to dump the memory and extract it the hard way.
>> OpenBSD has even a "sasyncd" who's whole purpose it is to synchronize
>> this data (the SADs) to failover gateways.
>>>   and the dynamic ones,
>>> how are they changing?? is that a function of the IPsec IKEv2 stuff?
>> This is indeed one of the main reason reasons for "the IKE stuff". If
>> you want only fixed algorithms and never-changing pre-shared keys,
>> between known hosts, you may key the ESP manually.
>> Actually this "IKE stuff" is usually all that the "IPsec daemons"
>> like StronSWAN/charon, racoon, isakmpd, iked and whatnots do.
>> After the keys and parameters are negotiated, they are fed into the OS
>> kernel which will then do the transformation (en-/decapsulation,
>> en-/decryption, signing/verifying) of the actual user traffic.
>> Cheers,
>> 	David
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Users mailing list