Ya Dhanavel, IPSec Setup for Testing atleast requires 2 Hosts. This is because IPSec is to estabilsh an encrypted channel between Host - Router (or) Router - Router (or) Host - Host.
For testing this establish setup you should have a 3rd Host running Tools which Amar specified and target the IPSec testbed. So, Now for establishing a tunnel you need to have similar configuration & Certificates/keys running. Regards, 0xN41K On Jun 9, 6:02 pm, Sandeep Thakur <[email protected]> wrote: > The background of IPSec; > Internet Protocol security (IPsec) is a framework of open standards for > protecting communications over Internet Protocol (IP) networks through the > use of cryptography. It supports network-level peer authentication, data > origin authentication, data integrity, data confidentiality (encryption), > and replay protection. The Microsoft implementation of IPsec is based on > standards developed by the Internet Engineering Task Force (IETF) IPsec > working group. > > For more information on IPSec can be obtained from the below > link:http://en.wikipedia.org/wiki/IPsec > > Coming to your question of testing IPSec by implementing Strongswan on one > host and some other IPsec tools on another host, I understand it does not > matter during testing. Because, the vendor / author or in other words > provider of IPSec tool could be different but not its implementation. IPSecs > implementation will be based on agreed and accepted standards worldwide and > thats when you can communicate between two hosts without any issues. To know > more about the implementation of Strongswan IPSec, visit the below link: > > http://wiki.strongswan.org/wiki/1/IpsecStandards > > Finally, the conclusion behind this is that IPsec support is usually > implemented in the kernel with key management and ISAKMP/IKE negotiation > carried out from user-space. Existing IPsec implementations often include > both. > > If the keymanagement protocol at both ends are same (True, in this case) you > shall carry out the test with effective results > Hope this clarifies? > > Thanks > Sandeep Thakur > > On Wed, Jun 9, 2010 at 3:13 PM, Dhanavel <[email protected]> wrote: > > Thanks Amardeep... > > > and more doubt... I have IPsec source code of Strongswan....In their > > configuration they said they need two host... > > can v test IPsec by implementing Strongswan on one host and some other > > IPsec tools on another host... > > > or is it like both of the hosts want to have same configuration...is > > it like that? > > > regards > > Dhanavel > > > On Jun 9, 11:28 am, Amar Deep <[email protected]> wrote: > > > Hi, > > > > Generally we useI KE for scanning Ipsec- VPN Scanning ,Fingerprints and > > > testing tools > > > > IKE-scan is a command-line tool for discovering, fingerprinting and > > testing > > > IPsec VPN systems. It constructs and sends IKE Phase-1 packets to the > > > specified hosts, and displays any responses that are received. > > > > ke-scan allows you to: > > > > - Send IKE packets to any number of destination hosts, using a > > > configurable output bandwidth or packet rate. (*This is useful for VPN > > > detection, when you may need to scan large address spaces.*) > > > - Construct the outgoing IKE packet in a flexible way. (*This includes > > > IKE packets which do not comply with the RFC requirements.*) > > > - Decode and display any returned packets. > > > - Crack aggressive mode pre-shared keys. (*You can use ike-scan to > > obtain > > > the PSK hash data, and then use psk-crack to obtain the key.*) > > > > For Downloading IKE scan here is the link: > > > >http://www.darknet.org.uk/2008/11/ike-scan-ipsec-vpn-scanning-fingerp... > > > > and If u want to know more about penetration testing for IPsec here is > > the > > > link: > > > >http://www.symantec.com/connect/articles/penetration-testing-ipsec-vpns > > > > Regards, > > > > T.Amardeep, > > > -- > > You received this message because you are subscribed to the Google Groups > > "nforceit" group. > > To post to this group, send an email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<nforceit%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/nforceit?hl=en-GB. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
