Re: [strongSwan] FW: Is that a security Issue?
Hi Michalle, I have other question about this. Why it only happens when the ESP protects a Tunnel mode IP traffic. I have never seen that plain text under the transport model. Yes, this only happens with tunnel mode. I don't know the exact reason for it, it's probably just a side effect of how tunnel mode is implemented in the kernel. And also does that means the the Linux Kernal knows the SA Key which established between Strongswan and my implementation, otherwise how it could decrypt the ESP packet. That's exactly how it works. All the IPsec traffic (ESP/AH) is directly handled by the Linux kernel. strongSwan just acts as a keying daemon that operates in userland and writes the keys it establishes via IKE to the Linux kernel using Netlink/XFRM or PF_KEY. To see the SAs and keys that are currently configured in the kernel you can also use the 'ip xfrm state' command. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] FW: Is that a security Issue?
Tobias, Thanks for you clarification. Yes, I use the Wireshark located at the same machine with StrongSwan. I have other question about this. Why it only happens when the ESP protects a Tunnel mode IP traffic. I have never seen that plain text under the transport model. And also does that means the the Linux Kernal knows the SA Key which established between Strongswan and my implementation, otherwise how it could decrypt the ESP packet. Thanks Michalle Date: Mon, 20 Sep 2010 10:33:50 +0200 From: tob...@strongswan.org To: michalle...@hotmail.com CC: users@lists.strongswan.org Subject: Re: [strongSwan] FW: Is that a security Issue? Hi Michalle, there will be a plain text of ICMP echo request (which decrypyt the orignial ESP packet from my implementation) in the network. You didn't write on which host you captured the packets with Wireshark. If it was on the same host on which strongSwan was running then this behavior is normal. It is a quirk of the Linux kernel that for incoming traffic both the ESP packet and the decrypted payload are captured and that for outgoing traffic only encrypted ESP packets are visible. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] FW: Is that a security Issue?
Hi Michalle, there will be a plain text of ICMP echo request (which decrypyt the orignial ESP packet from my implementation) in the network. You didn't write on which host you captured the packets with Wireshark. If it was on the same host on which strongSwan was running then this behavior is normal. It is a quirk of the Linux kernel that for incoming traffic both the ESP packet and the decrypted payload are captured and that for outgoing traffic only encrypted ESP packets are visible. Regards, Tobias ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users