Hi, I m using libipsec to do user space encryption/decryption. Strongswan version is 5.1.1
'ipsec up home' establishes the tunnel properly with the secgw. Secgw assigns a virtual ip. Later, when I start pinging a valid ip which is behind secgw like below, ping <ip-behind-secgw> -I virtual ip. I see that the packets are going in plain text.I mean the packets are not encrypted. But the incoming packets are in esp, which I guess are reaching the application properly after decryption. Configuration details at the strongswan client asking virtual ip are given below. Please let me know if I am miss something. *# ipsec.conf - strongSwan IPsec configuration fileconfig setup charondebug="ike 4, chd 1, cfg 1, net 1, enc 1, lib 1, mgr 1, knl 1 dmn 1"conn home left=10.x.x.x [email protected] <[email protected]> leftauth=psk rightauth=psk leftsourceip=%config leftfirewall=yes ike=3des-sha1-prfsha1-modp1024! esp=aes128-sha1! right=10.x.x.x rightsubnet=0.0.0.0/0 <http://0.0.0.0/0> rightid=%any auto=add mobike=no dpddelay=200s dpdaction=clear rekey=yes ikelifetime=86400s lifetime=36000s reauth=no rekeymargin=3m keyingtries=1 keyexchange=ikev2# cat /etc/strongswan.conf# strongswan.conf - strongSwan configuration filecharon { # number of worker threads in charon threads = 16 close_ike_on_child_failure = yes keep_alive = 20s # send strongswan vendor ID? # send_vendor_id = yes plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } resolve{ file = /etc/resolvtunnel.conf } kernel-netlink { fwmark = !0x42 } socket-default { fwmark = 0x42 } kernel-libipsec { allow_peer_ts = yes } }}pluto {*} *libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no}* I see that the kernel-libipsec is loaded. # ipsec listall | more List of registered IKE algorithms: encryption: DES_CBC[des] 3DES_CBC[des] AES_CBC[aes] DES_ECB[des] TWOFISH_CBC[af-alg] integrity: HMAC_MD5_96[hmac] HMAC_SHA1_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA1_160[hmac] AES_CMAC_96[cmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_512_256[hmac] HMAC_SHA1_128[hmac] HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_512[hmac] aead: hasher: HASH_MD5[md5] HASH_SHA1[sha1] HASH_SHA224[sha2] HASH_SHA256[sha2] HASH_SHA384[sha2] HASH_SHA512[sha2] prf: PRF_HMAC_MD5[hmac] PRF_HMAC_SHA1[hmac] PRF_HMAC_SHA2_256[hmac] PRF_HMAC_SHA2_384[hmac] PRF_HMAC_SHA2_512[hmac] PRF_AES128_CMAC[cmac] PRF_FIPS_SHA1_160[fips-prf] PRF_KEYED_SHA1[sha1] dh-group: MODP_768[gmp] MODP_1024[gmp] MODP_1536[gmp] MODP_2048[gmp] MODP_3072[gmp] MODP_4096[gmp] MODP_6144[gmp] MODP_8192[gmp] MODP_1024_160[gmp] MODP_2048_224[gmp] MODP_2048_256[gmp] MODP_CUSTOM[gmp] random-gen: RNG_STRONG[random] RNG_TRUE[random] nonce-gen: [nonce] List of loaded Plugins: charon: CUSTOM:libcharon NONCE_GEN CUSTOM:libcharon-receiver * CUSTOM:kernel-ipsec CUSTOM:kernel-net* CUSTOM:libcharon-receiver HASHER:HASH_SHA1 RNG:RNG_STRONG CUSTOM:socket ........ ......... *kernel-libipsec: CUSTOM:kernel-ipsec CUSTOM:kernel-libipsec-router CUSTOM:libcharon-receiverkernel-netlink: CUSTOM:kernel-ipsec CUSTOM:kernel-net* *# ipsec statusallStatus of IKE charon daemon (strongSwan 5.1.1, Linux 3.10.49-perf, armv7l): uptime: 16 hours, since Apr 22 10:36:49 2015 malloc: sbrk 266240, mmap 0, used 121200, free 145040 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 23 loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation cons l-libipsec kernel-netlink resolve socket-default stroke updown eap-identity eap-Listening IP addresses:* * x.x.x.x* * 192.168.16.1 192.168.17.1 192.168.18.1 192.168.19.1 192.168.20.1 192.168.21.1 192.168.22.1Connections: home: 10.x.x.x...10.x.x.x IKEv2, dpddelay=200s home: local: [[email protected] <[email protected]>] uses pre-shared key authentic home: remote: uses pre-shared key authentication home: child: dynamic === 0.0.0.0/0 <http://0.0.0.0/0> TUNNEL, dpdaction=clearSecurity Associations (1 up, 0 connecting): home[1]: ESTABLISHED 16 hours ago, 10.x.x.x[[email protected] <[email protected]> home[1]: IKEv2 SPIs: 3bd67a82f229a91e_i* aeabbe99f737e72e_r, rekeying in home[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 home{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c75311d3_i cb2a38b5_o home{1}: AES_CBC_128/HMAC_SHA1_96, 134677 bytes_i (1720 pkts, 1s ago), home{1}: x.x.x.1/32 === 0.0.0.0/0 <http://0.0.0.0/0># cat /proc/sys/net/ipv4/conf/all/rp_filter2* Any help is this regard is appreciated.. Regards, Sriram
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
