[strongSwan] Is a trusted man in the middle possible with ipsec ike v2 tunnel mode?

Bob W bob.news at non-elite.com
Thu Apr 24 17:26:32 CEST 2014

Hi Noel,

  yes compress was the example...  but also want to read/modify the
traffic as well.


On 4/24/2014 10:33 AM, Noel Kuntze wrote:
> Hello Bob,
> In one of the first messages, you wrote, you wanted to compress the traffic.
> Why don't you just use the built in compression of IPsec?
> Just set compress=yes in the configuration and if the other peer supports it, the traffic will be compressed.
> Regards,
> Noel Kuntze
> GPG Key id: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 24.04.2014 16:40, schrieb Bob W:
>> Thanks everyone(David, Martin, Noel, JC) for the responses... looks like
>> I have some homework to do.
>> Bob
>> On 4/24/2014 3:33 AM, Dahlberg, David wrote:
>>> Am Mittwoch, den 23.04.2014, 16:17 -0500 schrieb Bob W:
>>>> so question is if I have the Security Association (SA) info, like
>>>> source/dest ip, and security param index (SPI) , the encrypt algro's
>>>> and
>>>> keys, I should be able to decode and then re-encode the packets,
>>>> right?
>>> Decode: yes.
>>> Encode: Probably. I have not tried it though.
>>> Be aware that depending on the cipher/mode you probably may or may not
>>> mingle with single packets on their own. In any case you have to check 
>>> /very/ carefully not to destroy any of their cryptographic properties.
>>> So if you really want to modify the streams it would probably be easier
>>> for you to just terminate the IPsec at the middle box.
>>>> question is the keys for the ESP/AH ...  are they static?
>>> The keys for one ESP/AH SA are static. But SAs may be exchanged during
>>> one communication.
>>>> if so, where
>>>> are they in the Security gateway.. if they are dynamic(change from
>>>> time
>>>> to time), where are they in the security gateway?
>>> If the security gateway is a Linux box, try "ip xfrm state show". If it
>>> is a BSD, try "ipsecctl -p". If it is a Cisco, the only way I know of is
>>> to dump the memory and extract it the hard way.
>>> OpenBSD has even a "sasyncd" who's whole purpose it is to synchronize
>>> this data (the SADs) to failover gateways.
>>>>   and the dynamic ones,
>>>> how are they changing?? is that a function of the IPsec IKEv2 stuff?
>>> This is indeed one of the main reason reasons for "the IKE stuff". If
>>> you want only fixed algorithms and never-changing pre-shared keys,
>>> between known hosts, you may key the ESP manually.
>>> Actually this "IKE stuff" is usually all that the "IPsec daemons"
>>> like StronSWAN/charon, racoon, isakmpd, iked and whatnots do.
>>> After the keys and parameters are negotiated, they are fed into the OS
>>> kernel which will then do the transformation (en-/decapsulation,
>>> en-/decryption, signing/verifying) of the actual user traffic.
>>> Cheers,
>>> 	David
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list