ipsec – richliu's blog https://blog.richliu.com Linux, 工作, 生活, 家人 Wed, 23 Dec 2015 05:56:42 +0000 zh-TW hourly 1 https://wordpress.org/?v=6.6.2 Strongswan ipsec debug https://blog.richliu.com/2015/08/19/1839/strongswan-ipsec-debug/ https://blog.richliu.com/2015/08/19/1839/strongswan-ipsec-debug/#respond Wed, 19 Aug 2015 09:23:50 +0000 http://blog.richliu.com/?p=1839 可以在 runtime 下指令馬上更改 debug command, # ipsec stroke logle […]

The post Strongswan ipsec debug appeared first on richliu's blog.

]]> 可以在 runtime 下指令馬上更改 debug command,
# ipsec stroke loglevel ike 2
也可以寫在 ipsec.conf 內.

Logger configuration

其他可以debug 的參數還有
types are dmn, mgr, ike, chd, job, cfg, knl, net, asn, enc, lib, esp, tls, tnc, imc, imv, pts and the level
is one of [-1, 0, 1, 2, 3, 4] (for silent, audit, control, controlmore, raw, private). By default, the level
is set to 1 for all types.

ipsec.conf: config setup

如果是要 decode ESP 封包, 要下 command
# ip xfrm state
src —.—.—.— dst —.—.—.—
proto esp spi 0xc5833fd7 reqid 4 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xde33744975f816f9fdcb7969a3d5a337 96
enc cbc(aes) 0x9bf7b545ba3e35523c9a0c9f74b2c386ffb4634d
src —.—.—.— dst —.—.—.—
proto esp spi 0xc985f51a reqid 4 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xf1341b4ddeb700925a8294264b271130 96
enc cbc(aes) 0x2f7a7dc8e136ed645d13b89fcd7b408fce3636ad
取出 SPI , encryption key and authentication key 填到 Wireshark ESP protocol 的 ESP SAs 內就可以了. ESP-1ESP-2

The post Strongswan ipsec debug appeared first on richliu's blog.

]]> https://blog.richliu.com/2015/08/19/1839/strongswan-ipsec-debug/feed/ 0