Discussion:
[strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
(too old to reply)
Aaron Zhang
2010-03-31 04:50:56 UTC
Permalink
Hi all.

Are there any ways to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA which are useful to decrypt the IKE_AUTH packet with wireshark.
I set the debug as 4 for all debug type. But there are not such information.

thanks
-Aaron
Andreas Steffen
2010-03-31 05:05:23 UTC
Permalink
Hi Aaron,

with the ipsec.conf setting

charondebug="ike 4"

SK_ei, SK_er, SK_ai, SK_ar are written to the log.
As an alternative the command

ipsec stroke loglevel ike 4

achieves the same when the charon daemon is already running.

Best regards

Andreas
Post by Aaron Zhang
Hi all.
Are there any ways to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
which are useful to decrypt the IKE_AUTH packet with wireshark.
I set the debug as 4 for all debug type. But there are not such information.
thanks
-Aaron
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Aaron Zhang
2010-03-31 05:12:24 UTC
Permalink
Thanks. I got it now.
But I have another question. With the ipsec.conf setting

charondebug="ike 4"
.There still has not any debug information in /var/log/secure.

Only use the command
ipsec stroke loglevel ike 4

There has debug information in /var/log/secure.

Anything I missed?

--Aaron

-----Original Message-----
From: Andreas Steffen [mailto:***@strongswan.org]
Sent: 2010年3月31日 13:05
To: Aaron Zhang
Cc: ***@lists.strongswan.org
Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA

Hi Aaron,

with the ipsec.conf setting

charondebug="ike 4"

SK_ei, SK_er, SK_ai, SK_ar are written to the log.
As an alternative the command

ipsec stroke loglevel ike 4

achieves the same when the charon daemon is already running.

Best regards

Andreas
Post by Aaron Zhang
Hi all.
Are there any ways to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
which are useful to decrypt the IKE_AUTH packet with wireshark.
I set the debug as 4 for all debug type. But there are not such information.
thanks
-Aaron
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
=====================================
Andreas Steffen
2010-03-31 05:17:57 UTC
Permalink
Hi Aaron,

did you put the charondebug directive into the
"config setup" section of ipsec.conf as in the following example

http://www.strongswan.org/uml/testresults43/ikev2/alg-blowfish/moon.ipsec.conf

and did you restart the charon daemon?

Andreas
Post by Aaron Zhang
Thanks. I got it now.
But I have another question. With the ipsec.conf setting
charondebug="ike 4"
.There still has not any debug information in /var/log/secure.
Only use the command
ipsec stroke loglevel ike 4
There has debug information in /var/log/secure.
Anything I missed?
--Aaron
-----Original Message-----
Sent: 2010Äê3ÔÂ31ÈÕ 13:05
To: Aaron Zhang
Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
Hi Aaron,
with the ipsec.conf setting
charondebug="ike 4"
SK_ei, SK_er, SK_ai, SK_ar are written to the log.
As an alternative the command
ipsec stroke loglevel ike 4
achieves the same when the charon daemon is already running.
Best regards
Andreas
Post by Aaron Zhang
Hi all.
Are there any ways to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
which are useful to decrypt the IKE_AUTH packet with wireshark.
I set the debug as 4 for all debug type. But there are not such information.
thanks
-Aaron
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Aaron Zhang
2010-03-31 05:38:23 UTC
Permalink
Hi,Steffen,

Yes, I put the charondebug directive in the "config setup" section of ipsec.conf.
And I input the command

ipsec restart

I believe this command will restart the Charon daemon. But there are not any result.
I doubt I should load some plugins?


--Aaron

-----Original Message-----
From: Andreas Steffen [mailto:***@strongswan.org]
Sent: 2010年3月31日 13:18
To: Aaron Zhang
Cc: ***@lists.strongswan.org
Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA

Hi Aaron,

did you put the charondebug directive into the
"config setup" section of ipsec.conf as in the following example

http://www.strongswan.org/uml/testresults43/ikev2/alg-blowfish/moon.ipsec.conf

and did you restart the charon daemon?

Andreas
Post by Aaron Zhang
Thanks. I got it now.
But I have another question. With the ipsec.conf setting
charondebug="ike 4"
.There still has not any debug information in /var/log/secure.
Only use the command
ipsec stroke loglevel ike 4
There has debug information in /var/log/secure.
Anything I missed?
--Aaron
-----Original Message-----
Sent: 2010年3月31日 13:05
To: Aaron Zhang
Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
Hi Aaron,
with the ipsec.conf setting
charondebug="ike 4"
SK_ei, SK_er, SK_ai, SK_ar are written to the log.
As an alternative the command
ipsec stroke loglevel ike 4
achieves the same when the charon daemon is already running.
Best regards
Andreas
Post by Aaron Zhang
Hi all.
Are there any ways to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
which are useful to decrypt the IKE_AUTH packet with wireshark.
I set the debug as 4 for all debug type. But there are not such information.
thanks
-Aaron
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
========================================
Andreas Steffen
2010-03-31 05:44:22 UTC
Permalink
Did you define any loggers in strongswan.conf which would replace
the defaults defined by ipsec.conf:

http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

Regards

Andreas
Post by Aaron Zhang
Hi,Steffen,
Yes, I put the charondebug directive in the "config setup" section of ipsec.conf.
And I input the command
ipsec restart
I believe this command will restart the Charon daemon. But there are not any result.
I doubt I should load some plugins?
--Aaron
-----Original Message-----
Sent: 2010Äê3ÔÂ31ÈÕ 13:18
To: Aaron Zhang
Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
Hi Aaron,
did you put the charondebug directive into the
"config setup" section of ipsec.conf as in the following example
http://www.strongswan.org/uml/testresults43/ikev2/alg-blowfish/moon.ipsec.conf
and did you restart the charon daemon?
Andreas
Post by Aaron Zhang
Thanks. I got it now.
But I have another question. With the ipsec.conf setting
charondebug="ike 4"
.There still has not any debug information in /var/log/secure.
Only use the command
ipsec stroke loglevel ike 4
There has debug information in /var/log/secure.
Anything I missed?
--Aaron
-----Original Message-----
Sent: 2010Äê3ÔÂ31ÈÕ 13:05
To: Aaron Zhang
Subject: Re: [strongSwan-dev] How to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
Hi Aaron,
with the ipsec.conf setting
charondebug="ike 4"
SK_ei, SK_er, SK_ai, SK_ar are written to the log.
As an alternative the command
ipsec stroke loglevel ike 4
achieves the same when the charon daemon is already running.
Best regards
Andreas
Post by Aaron Zhang
Hi all.
Are there any ways to dump the SK_ei, SK_er, SK_ai, SK_ar of the IKE_SA
which are useful to decrypt the IKE_AUTH packet with wireshark.
I set the debug as 4 for all debug type. But there are not such information.
thanks
-Aaron
======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
Loading...