[strongSwan] How to verify the actual IKE proposal

Noel Kuntze noel at familie-kuntze.de
Fri Mar 7 14:25:40 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Dion, Hello Pawl,

The XFRM part of the kernel only handles the actual traffic (esp/ah packets), not the IKE states.
So what you see with "ip x {p,s}" only concerns the tunnel itself, not the IKE security association.
IKE is handled by charon (ikev2) or pluto (ikev1).
I don't know the command for pluto, but "ipsec statusall" since version 5.x shows the cipher proposal of both the ike and esp state for charon.
You might want to look in the man page or the help for "ipsec whack", as "ipsec whack" pertains interaction with pluto.

Regards
Noel Kuntze



Am 07.03.2014 14:17, schrieb Dion Kant:
> On 03/07/2014 12:11 PM, Pawel Grzesik wrote:
>> Hi Dion,
>>
>> Maybe
>>
>> # ip x s
>> # ip x p
>> will show you more info.
>>
>> Thanks,
>> Pawel
> Hi Pawel,
>
> # ip x p does not show any cipher info
>> src x.x.x.x/30 dst y.y.y.y/32
>>         dir out priority 2144 ptype main
>>         tmpl src z.z.z.z dst w.w.w.w
>>                 proto esp reqid 16537 mode tunnel
>
> and
>
> # ip x s shows
>
> src z.z.z.z dst w.w.w.w
>         proto esp spi 0x2971e197 reqid 16537 mode tunnel
>         replay-window 32 flag af-unspec
>         auth hmac(sha1) 0x4e53...
>         enc cbc(aes) 0xdda3c05...
>
> Can I now conclude that, since ip x s shows the ip addresses left and
> right, auth en enc is indeed about ike encryption?
>
> Thanks, Dion
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTGcjTAAoJEDg5KY9j7GZYLSUQAJMa6J44Nph4+zLjY3UPSO6P
c3WqMoxR8eEQk05lKbuLQzgum//OtXEWl9GC1t4Wc+myWn77kMXUKlstvD0oO37a
ARSEyER2R1dUst4tndRwSKZYJkS7hYvV/OZh5ejSImkZlRxnRtI4xhTcDna5u+ic
TIVelOWKFgZeOYhUUxwQ9R4CDeZY0uc7Dshj4Tjyn5yHRxE2GgPqhtXY2Rj3GJ8p
kitMtrWcgAqQq/P+Gym4Gov2YYM/4kJ0GPe1WSm1J16ebrP0tLlET8ZPgl6obfKU
GGySjM8O4pd/yJeFlalWr+COQhdJ4TkEn3esp+WhycFfpD58wF5BXvn7KlFXCnBJ
U/1nNblC62shCVmzqKLCibXEVfGt/5vdLuR5HDfsav4i0Z/enjKuq2KZ1lbQsB11
PbB7RGgj/UXgxBdi5bAdAGyG9GLKH0FZwqtNKMqvXMvXeIsS8jBIgpfE78G9j+6j
Cq+f22wiUpNjpZ4mz1ZnUUp1ii2dLfhJAfGOu53sPwG68obgHAp/yu6szCYAeVKh
nvhSE0vTPkVRr0F9iYilTdasAreN9UsjC2JTI5rF69ttjbTQ/bXbUXiW50OI4uGp
HP/x5qeLrQfUYHDxZvfBM6ZATzwmu04kT/976DcxLk2iPWl86cwW63og9902wVa8
K2S5aXOUb6uBrYx9f+KB
=0K9c
-----END PGP SIGNATURE-----



More information about the Users mailing list