Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 12 Dec 2001 11:53:18 -0800
From:      "Crist J. Clark" <cristjc@earthlink.net>
To:        cjm2@27in.tv
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipsec & tcpdump
Message-ID:  <20011212115317.C487@gohan.cjclark.org>
In-Reply-To: <3601.216.153.201.254.1008095804.squirrel@www.27in.tv>; from cjm2@27in.tv on Tue, Dec 11, 2001 at 01:36:44PM -0500
References:  <3601.216.153.201.254.1008095804.squirrel@www.27in.tv>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Dec 11, 2001 at 01:36:44PM -0500, cjm2@27in.tv wrote:
> Hello,
> 
> I am running 4.4-STABLE.  I have an ipsec/ESP tunnel to another box.  I am
> trying to find out if there is any way to view the tcp/ip traffic (w/
> tcpdump) that is going over that tunnel.  Not being able to view this
> traffic is making troubleshooting some other issues rather difficult.

I am not sure I understand this correctly. Obviously, if you can
actually see the TCP information in the ESP packets, your tunnel is
not providing much security.

> My ifconfig reads: (Public ip's have been faked to protect the innocent.)
> dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
>         ether 00:c0:f0:4d:f6:9f
>         media: Ethernet autoselect (100baseTX)
>         status: active
> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         inet 1.2.3.4 netmask 0xfffffc00 broadcast 255.255.255.255
>         ether 00:00:e8:d7:ef:3c
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
>         inet 127.0.0.1 netmask 0xff000000
> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>         tunnel inet 1.2.3.4 --> 5.6.7.8
>         inet 10.0.0.1 --> 192.168.0.1 netmask 0xffffff00
> 
> My ip is 10.0.0.1 and the remote ip is 192.168.0.1.  As a test I setup a
> ping to 192.168.0.1
> 
> "tcpdump -i ed0 proto 1" shows me the ESP packets

It shouldn't. ESP is protocol 50. Protocol 1 is ICMP.

> "tcpdump -i dc0 proto 1" shows me nothing.
> "tcpdump -i gif0 proto 1" shows me nothing.  In addition, no packets ever
> seem to pass through gif0 (from a tcpdump point of view).
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011212115317.C487>