Sorry about forgetting to put the subject, resending with subject... On Thu, Mar 1, 2012 at 11:02 AM, Alexander Lyakas <[email protected]> wrote: > Greetings everybody, > I am trying to setup a basic client-to-server secured connection with > ESP in transport mode. The server is ubuntu-natty 2.6.38-8 with stock > strongswan package 4.5.0. The server is using pre-shared keys. On the > server I am using IKEv1 only at this point. The client is a Win7 box. > It is configured using Windows Firewall Advanced Snap-In to always > require encryption. > > Everything seems to work more or less as expected. However, when the > IPSec SA is established, in Win7 IP Security Monitor, I see that "ESP > confidentiality" is "None". When running "setkey -D" on the Linux box > I can see the encryption is enabled on the SAs: > > root@vc-0-0-10-03--109-dev:~# setkey -D > 172.16.0.158 172.16.4.10 > esp mode=transport spi=1217668046(0x489423ce) reqid=16392(0x00004008) > E: aes-cbc 58ebcc39 10ecd799 6c784631 261cbeda > A: hmac-sha1 a0819356 2c08386c c7cb56cc caba9da2 0e7f04e5 > seq=0x00000000 replay=32 flags=0x00000000 state=mature > created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012 > diff: 5(s) hard: 0(s) soft: 0(s) > last: Feb 16 12:41:39 2012 hard: 0(s) soft: 0(s) > current: 52(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 2 hard: 0 soft: 0 > sadb_seq=1 pid=1790 refcnt=0 > 172.16.4.10 172.16.0.158 > esp mode=transport spi=3274301888(0xc329e1c0) reqid=16392(0x00004008) > E: aes-cbc c915c917 26a25072 02d0d950 05f2d31d > A: hmac-sha1 1bb2124c 52265cc0 263098f2 c2cd2880 e3fefbfd > seq=0x00000000 replay=32 flags=0x00000000 state=mature > created: Feb 16 12:41:36 2012 current: Feb 16 12:41:41 2012 > diff: 5(s) hard: 0(s) soft: 0(s) > last: Feb 16 12:41:36 2012 hard: 0(s) soft: 0(s) > current: 244(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 4 hard: 0 soft: 0 > sadb_seq=0 pid=1790 refcnt=0 > > How can I verify that encryption is really effective? I was trying to > use Wireshark to capture the traffic, and indeed I see ESP packets > there, but still not sure at this point. > I am also posting my server ipsec.conf, please let me know if it makes sense. > Thanks! > > config setup > charonstart=no > plutostart=yes > strictcrlpolicy=no > uniqueids=yes > crlcheckinterval=0s > nocrsend=no > plutodebug="control lifecycle dns oppo controlmore natt" > postpluto= > prepluto= > > conn client > auth=esp > authby=psk # rsasig, for IKEv2 use leftauth > auto=start # We need to start all connections, for those peers that > don't support DPD > dpdaction=clear # For those peers that support DPD, we expect them to > reconnect, so we drop their connections > dpddelay=30s > dpdtimeout=30s # IKEv1 only > esp=aes128-sha1 # Add more as needed > ike=aes128-sha1-modp1024 # Add more as needed > ikelifetime=3h > installpolicy=yes > keyexchange=ikev1 # (for outgoing connection only) > keyingtries=1 # We should not retry, the client should > lifetime=1h > margintime=9m > pfs=no > pfsgroup= # For IKEv1 only > reauth=yes # Relevant only for IKEv2 > rekey=no # Do not initiate rekeying > type=transport > # LEFT server > left=172.16.0.158 > leftallowany=no > leftauth= # For IKEv2 only > leftprotoport=tcp > # RIGHT - client > right=172.16.4.10 > rightallowany=no > rightauth= # For IKEv2 only > rightprotoport=tcp
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
