Issue #3258
How to enable save-keys?
Description
I specified --enable-save-keys while compiling, but setting esp, ike and wireshark_keys didn't seem to have any effect.
I tried both omitting load-modular and setting it to yes and then set plugins.save-keys.load = true, the "loaded plugins" entry in logs never listed save-keys.
How do I enable the plugin?
Also I guess this plugin only writes file when there is an IKE connection, but in order to analyze the whole traffic, I need to open Wireshark before make the connection. So after ikev2_decryption_table is changed, how do I ask Wireshark to reload that file and start decrypt packets? It currently only works if I manually enter values to the corresponding protocol panels in the preference.
History
#1 Updated by Tobias Brunner almost 6 years ago
- Status changed from New to Feedback
How do I enable the plugin?
FAQ.
So after ikev2_decryption_table is changed, how do I ask Wireshark to reload that file and start decrypt packets?
No idea if that's possible. But you obviously can store captures (tcpdump or wireshark) and analyze them later using the stored keys.
#2 Updated by Glen Huang almost 6 years ago
Tobias Brunner wrote:
How do I enable the plugin?
FAQ.
FAQ doesn't seem to help. I checked the so file, it was there.
These are my autoconf options:
./configure
--prefix=/usr
--sysconfdir=/etc
--libexecdir=/usr/lib
--with-ipsecdir=/usr/sbin
--with-ipseclibdir=/usr/lib/strongswan
--with-capabilities=native
--disable-defaults
--enable-nonce
--enable-openssl
--enable-pem
--enable-save-keys
--enable-x509
--enable-pkcs1
--enable-vici
--enable-charon
--enable-ikev2
--enable-kernel-netlink
--enable-socket-default
--enable-swanctl
and strongswan.conf
charon {
keep_alive = 0
start-scripts {
swanctl = swanctl --load-all --noprompt
}
plugins {
save-keys {
esp = yes
ike = yes
wireshark_keys = /tmp
}
}
}
the plugin's so file exists
$ ls /usr/lib/strongswan/plugins/libstrongswan-save-keys.* /usr/lib/strongswan/plugins/libstrongswan-save-keys.la /usr/lib/strongswan/plugins/libstrongswan-save-keys.so
charon's logs
00[DMN] Starting IKE charon daemon (strongSwan 5.8.1, Linux 4.19.0-6-amd64, x86_64) 00[LIB] loaded plugins: charon nonce x509 pkcs1 pem openssl kernel-netlink socket-default vici
After I established the connection, where was nothing in the tmp folder.
#3 Updated by Tobias Brunner almost 6 years ago
- Category set to configuration
and strongswan.conf
Which is inadequate to use this particular plugin. It has to be loaded explicitly (I recommend the modular configuration).
#4 Updated by Glen Huang almost 6 years ago
Tobias Brunner wrote:
and strongswan.conf
Which is inadequate to use this particular plugin. It has to be loaded explicitly (I recommend the modular configuration).
I tried modular last time, now sure why it didn't work. It's working now, thanks a lot Tobias!
From the doc
The recommended way to enable or disable plugins is during compile time.
I was under the impression that if I enabled the plugins during compile time, and didn't specify charon.load or charon.load_modular, the enabled plugins are all loaded. Looks like that's not the case. Is this plugin pretty special in this case?
#5 Updated by Tobias Brunner almost 6 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
Looks like that's not the case.
Not with this particular plugin. It's never loaded automatically due to its impact on security.
#6 Updated by Glen Huang almost 6 years ago
Tobias Brunner wrote:
Looks like that's not the case.
Not with this particular plugin. It's never loaded automatically due to its impact on security.
Makes sense, thanks a lot.
#7 Updated by liam kelly over 5 years ago
I have explicitly loaded the plugin; however, I still do not see any files in the `wireshark_keys` directory.
To confirm, the 'explicit loading' is done by setting `load = true`:
save-keys {
load = yes
esp = yes
ike = yes
wireshark_keys = /tmp/keys
}
Then you should see:
ipsec[20909]: 00[LIB] loaded plugins: charon save-keys aes rc2 sha2 sha1 ...
#8 Updated by Tobias Brunner over 5 years ago
Read the log.
#9 Updated by liam kelly over 5 years ago
Found the problem by looking at the logs generated by the plugin:
charon[22401]: 11[IKE] failed to open IKE key table '/tmp/keys/ikev1_decryption_table': Permission denied
Both tmp and keys are `777` and the plugin just uses `fopen` so I imagine this is coming from another security mechanism.
Update
AppArmor was blocking writing to the file, adding the following to '/etc/apparmor.d/usr.lib.ipsec.charon' fixed the problem:
/tmp/keys/** rw,