[strongSwan] Using libipsec for encryption/decryption

Sriram sriram.ec at gmail.com
Thu Apr 23 09:22:30 CEST 2015


I m using libipsec to do user space encryption/decryption. Strongswan
version is 5.1.1

'ipsec up home' establishes the tunnel properly with the secgw. Secgw
assigns a virtual ip.
Later, when I start pinging a valid ip which is behind secgw like below,
ping <ip-behind-secgw> -I virtual ip.

I see that the packets are going in plain text.I mean the packets are not
But the incoming packets are in esp, which I guess are reaching the
application properly after decryption.

Configuration details at the strongswan client asking virtual ip are given
Please let me know if I am miss something.

*# ipsec.conf - strongSwan IPsec configuration fileconfig setup
charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn
1"conn home     left=10.x.x.x     leftid=abc at xyz.com <abc at xyz.com>
leftauth=psk     rightauth=psk     leftsourceip=%config
leftfirewall=yes     ike=3des-sha1-prfsha1-modp1024!
esp=aes128-sha1!     right=10.x.x.x     rightsubnet=
<>     rightid=%any     auto=add     mobike=no
dpddelay=200s     dpdaction=clear     rekey=yes     ikelifetime=86400s
lifetime=36000s     reauth=no     rekeymargin=3m     keyingtries=1
keyexchange=ikev2# cat /etc/strongswan.conf# strongswan.conf - strongSwan
configuration filecharon {        # number of worker threads in
charon        threads = 16        close_ike_on_child_failure = yes
keep_alive = 20s        # send strongswan vendor ID?        #
send_vendor_id = yes        plugins {                sql
{                        # loglevel to log into sql
database                        loglevel = -1                        # URI
to the database                        # database =
sqlite:///path/to/file.db                        # database =
mysql://user:password@localhost/database                }
resolve{                       file = /etc/resolvtunnel.conf
}                kernel-netlink {                      fwmark =
!0x42                }                socket-default {
fwmark = 0x42                }                kernel-libipsec
{                      allow_peer_ts = yes                }        }}pluto

*libstrongswan {        #  set to no, the DH exponent size is
optimized        #  dh_exponent_ansi_x9_42 = no}*

I see that the kernel-libipsec is loaded.

# ipsec listall | more

List of registered IKE algorithms:

  encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des]
  integrity:  HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac]
HMAC_SHA1_160[hmac] AES_CMAC_96[cmac]
              HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac]
HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac]
              HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac]
  hasher:     HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2]
HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2]
  prf:        PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac]
PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac]
              PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac]
PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1]
  dh-group:   MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp]
MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp]
              MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp]
MODP_2048_256[gmp] MODP_CUSTOM[gmp]
  random-gen: RNG_STRONG[random] RNG_TRUE[random]
  nonce-gen:  [nonce]

List of loaded Plugins:


*  CUSTOM:kernel-ipsec        CUSTOM:kernel-net*


*kernel-libipsec:    CUSTOM:kernel-ipsec
CUSTOM:libcharon-receiverkernel-netlink:    CUSTOM:kernel-ipsec

*# ipsec statusallStatus of IKE charon daemon (strongSwan 5.1.1, Linux
3.10.49-perf, armv7l):  uptime: 16 hours, since Apr 22 10:36:49 2015
malloc: sbrk 266240, mmap 0, used 121200, free 145040  worker threads: 7 of
16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 23  loaded
plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation
l-libipsec kernel-netlink resolve socket-default stroke updown eap-identity
eap-Listening IP addresses:*

*  x.x.x.x*

*        home:  10.x.x.x...10.x.x.x
IKEv2, dpddelay=200s        home:   local:  [abc at xyz.com <abc at xyz.com>]
uses pre-shared key authentic        home:   remote: uses pre-shared key
authentication        home:   child:  dynamic ===
<> TUNNEL, dpdaction=clearSecurity Associations (1 up, 0
connecting):        home[1]: ESTABLISHED 16 hours ago, 10.x.x.x[abc at xyz.com
<abc at xyz.com>        home[1]: IKEv2 SPIs: 3bd67a82f229a91e_i*
aeabbe99f737e72e_r, rekeying in        home[1]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024        home{1}:  INSTALLED,
TUNNEL, ESP in UDP SPIs: c75311d3_i cb2a38b5_o        home{1}:
AES_CBC_128/HMAC_SHA1_96, 134677 bytes_i (1720 pkts, 1s ago),
home{1}:  x.x.x.1/32 === <># cat
Any help is this regard is appreciated..

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150423/a6f3f522/attachment-0001.html>

More information about the Users mailing list