-1

We have created Ipsec tunnel using strong-swan as follows,

server (eth interface- 13.13.7.13) --> clinet (eth interface - 13.13.7.18)

when ikev2 phase1 and phae2 messages exchanges happens, source IP and destination IP are same as IP address assigned to eth interfaces. (confirmed via wire-shark). And ISAKMP message exchange has been done successfully.

1) When I started transmitting data via SCP protocol between client & sever , I have noticed ESP and SSH packets. In which ESP packets just have sequence number but not encrypted payload and SSH packets have encrypted payload. But as per Ipsec protocol data should be encrypted in ESP protocol itself. why there is no payload info in ESP packets ?

FI : I noticed continuous ESP packets after ISAKMP exchange (negotiation and authentication done)

SSH and ESP Packets look like below:

   **SSH Protocol** 
    SSH Version 2 (encryption:chacha20-poly1305@openssh.com mac:<implicit> compression:none)
    Packet Length (encrypted): e78d1cd9
    Encrypted Packet: 9679398c167c33ca6c1eecc4879e59d417b39545c80b0e40...
    MAC: 27b594b6290dcdf3a09fd2fb84884cd7

   **ESP Protocol**
   Encapsulating Security Payload
   ESP SPI: 0xc86cb75d (3362568029)
   ESP Sequence: 19
Kumar
  • 131
  • 1
  • 10

1 Answers1

0

ESP payload ideally not visible in wireshark directly, you need to enable ESP preferences in wireshark tool by providing tunnel SPI, end point IPs, enc/auth keys etc., as mentioned in wiki.

Sunil Bojanapally
  • 12,528
  • 4
  • 33
  • 46
  • Thank you, but when we do file transfer between client & server using SCP data encryption is done by SSH or ESP ? If SSH could you please explain. – Kumar Nov 25 '19 at 15:04
  • 1
    @Kumar, if the policy, traffic selectors are matched with ESP tunnel then SCP data could get through ESP. But i doubt in your case its ESP because if its ESP you couldn't have encrypted data in SSH. Secondly SSH has packet format with payload/mac bytes hence you could see them but not in ESP packet. – Sunil Bojanapally Nov 26 '19 at 07:18