From owner-freebsd-net  Thu May  3  6:11:14 2001
Delivered-To: freebsd-net@freebsd.org
Received: from whizzo.transsys.com (whizzo.TransSys.COM [144.202.42.10])
	by hub.freebsd.org (Postfix) with ESMTP id 0358D37B423
	for <freebsd-net@FreeBSD.ORG>; Thu,  3 May 2001 06:11:11 -0700 (PDT)
	(envelope-from louie@whizzo.transsys.com)
Received: from whizzo.transsys.com (#6@localhost.transsys.com [127.0.0.1])
	by whizzo.transsys.com (8.11.3/8.11.0) with ESMTP id f43DB9711069;
	Thu, 3 May 2001 09:11:09 -0400 (EDT)
	(envelope-from louie@whizzo.transsys.com)
Message-Id: <200105031311.f43DB9711069@whizzo.transsys.com>
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
To: Erik Salander <erik@whistle.com>
Cc: freebsd-net@FreeBSD.ORG
X-Image-URL: http://www.transsys.com/louie/images/louie-mail.jpg
From: "Louis A. Mamakos" <louie@TransSys.COM>
Subject: Re: gifs and tcpdump 
References: <3AF0B57B.4D789393@whistle.com> 
In-reply-to: Your message of "Wed, 02 May 2001 18:33:47 PDT."
             <3AF0B57B.4D789393@whistle.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 03 May 2001 09:11:09 -0400
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> 
> Should I be able to "tcpdump -i gif0"?  tcpdump indicates it's listening
> on gif0 but I never capture anything.
> 
> My gif's look like this:
> gif0: flags=8091<UP,POINTOPOINT,NOARP,MULTICAST> mtu 1440
>         inet 10.3.1.1 --> 10.3.2.1 netmask 0xffffffff
>         physical address inet 207.76.205.83 --> 207.76.205.115
> 
> My route to 10.3.2/24 is via gif0 (from netstat -nr):
> 10.3.2/24          10.3.2.1           UGSc        0        0     gif0
> 10.3.2.1           10.3.1.1           UH          3      132     gif0
> 
> Using the gifs for a LAN-LAN VPN.  Thanks.

Traffic going over an ESP tunnel never actual transits the tunnel
interface.  In fact, if you arrange to have the right routes installed,
you don't even need the gif interface at all.  From some recent experiments
I've done, the gif interface seems to be used only for:

	- side effect of installed host routes which are needed when
	matching the IPSEC policy specification

	- carrying traffic that isn't matching the IPSEC policy specification
	(if there is any at all)

I found this very counter intuitive; however, if you do a tcpdump on the
physical interface carrying the tunnel traffic, you'll see that the IPSEC
traffic isn't in an ipip encapsulation at all.

Yes, I found this very counter-intuititve.  From what I can tell, there's
no easy way to do a tcpdump and see the unencrypted traffic as it exits
the IPSEC tunnel.  What I may try next is to specify a transport-mode
IPSEC policy that covers the gif interface tunnel endpoints, but I don't
know if that wll work or not.

louie

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message