Project

General

Profile

Issue #3258

How to enable save-keys?

Added by Glen Huang 12 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Category:
configuration
Affected version:
5.8.1
Resolution:
No change required

Description

I specified --enable-save-keys while compiling, but setting esp, ike and wireshark_keys didn't seem to have any effect.

I tried both omitting load-modular and setting it to yes and then set plugins.save-keys.load = true, the "loaded plugins" entry in logs never listed save-keys.

How do I enable the plugin?

Also I guess this plugin only writes file when there is an IKE connection, but in order to analyze the whole traffic, I need to open Wireshark before make the connection. So after ikev2_decryption_table is changed, how do I ask Wireshark to reload that file and start decrypt packets? It currently only works if I manually enter values to the corresponding protocol panels in the preference.

History

#1 Updated by Tobias Brunner 12 months ago

  • Status changed from New to Feedback

How do I enable the plugin?

FAQ.

So after ikev2_decryption_table is changed, how do I ask Wireshark to reload that file and start decrypt packets?

No idea if that's possible. But you obviously can store captures (tcpdump or wireshark) and analyze them later using the stored keys.

#2 Updated by Glen Huang 12 months ago

Tobias Brunner wrote:

How do I enable the plugin?

FAQ.

FAQ doesn't seem to help. I checked the so file, it was there.

These are my autoconf options:

./configure
    --prefix=/usr
    --sysconfdir=/etc
    --libexecdir=/usr/lib
    --with-ipsecdir=/usr/sbin
    --with-ipseclibdir=/usr/lib/strongswan
    --with-capabilities=native
    --disable-defaults
    --enable-nonce
    --enable-openssl
    --enable-pem
    --enable-save-keys
    --enable-x509
    --enable-pkcs1
    --enable-vici
    --enable-charon
    --enable-ikev2
    --enable-kernel-netlink
    --enable-socket-default
    --enable-swanctl

and strongswan.conf

charon {
    keep_alive = 0
    start-scripts {
        swanctl = swanctl --load-all --noprompt
    }
    plugins {
        save-keys {
            esp = yes
            ike = yes
            wireshark_keys = /tmp
        }
    }
}

the plugin's so file exists

$ ls /usr/lib/strongswan/plugins/libstrongswan-save-keys.*
/usr/lib/strongswan/plugins/libstrongswan-save-keys.la    /usr/lib/strongswan/plugins/libstrongswan-save-keys.so

charon's logs

00[DMN] Starting IKE charon daemon (strongSwan 5.8.1, Linux 4.19.0-6-amd64, x86_64)
00[LIB] loaded plugins: charon nonce x509 pkcs1 pem openssl kernel-netlink socket-default vici

After I established the connection, where was nothing in the tmp folder.

#3 Updated by Tobias Brunner 12 months ago

  • Category set to configuration

and strongswan.conf

Which is inadequate to use this particular plugin. It has to be loaded explicitly (I recommend the modular configuration).

#4 Updated by Glen Huang 12 months ago

Tobias Brunner wrote:

and strongswan.conf

Which is inadequate to use this particular plugin. It has to be loaded explicitly (I recommend the modular configuration).

I tried modular last time, now sure why it didn't work. It's working now, thanks a lot Tobias!

From the doc

The recommended way to enable or disable plugins is during compile time.

I was under the impression that if I enabled the plugins during compile time, and didn't specify charon.load or charon.load_modular, the enabled plugins are all loaded. Looks like that's not the case. Is this plugin pretty special in this case?

#5 Updated by Tobias Brunner 12 months ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Looks like that's not the case.

Not with this particular plugin. It's never loaded automatically due to its impact on security.

#6 Updated by Glen Huang 12 months ago

Tobias Brunner wrote:

Looks like that's not the case.

Not with this particular plugin. It's never loaded automatically due to its impact on security.

Makes sense, thanks a lot.

#7 Updated by liam kelly 8 months ago

I have explicitly loaded the plugin; however, I still do not see any files in the `wireshark_keys` directory.

To confirm, the 'explicit loading' is done by setting `load = true`:

save-keys {
        load = yes
        esp = yes
        ike = yes
        wireshark_keys = /tmp/keys
}

Then you should see:

ipsec[20909]: 00[LIB] loaded plugins: charon save-keys aes rc2 sha2 sha1 ...

#8 Updated by Tobias Brunner 8 months ago

Read the log.

#9 Updated by liam kelly 8 months ago

Found the problem by looking at the logs generated by the plugin:

charon[22401]: 11[IKE] failed to open IKE key table '/tmp/keys/ikev1_decryption_table': Permission denied

Both tmp and keys are `777` and the plugin just uses `fopen` so I imagine this is coming from another security mechanism.

Update
AppArmor was blocking writing to the file, adding the following to '/etc/apparmor.d/usr.lib.ipsec.charon' fixed the problem:

 /tmp/keys/**              rw,

Also available in: Atom PDF