From owner-freebsd-questions Wed Dec 12 11:54: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 5FA9F37B417 for ; Wed, 12 Dec 2001 11:53:55 -0800 (PST) Received: from user-33qtm6u.dialup.mindspring.com ([199.174.216.222] helo=gohan.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16EFRi-0000Qn-00; Wed, 12 Dec 2001 11:53:39 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fBCJrIc01535; Wed, 12 Dec 2001 11:53:18 -0800 (PST) (envelope-from cjc) Date: Wed, 12 Dec 2001 11:53:18 -0800 From: "Crist J. Clark" To: cjm2@27in.tv Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipsec & tcpdump Message-ID: <20011212115317.C487@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <3601.216.153.201.254.1008095804.squirrel@www.27in.tv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3601.216.153.201.254.1008095804.squirrel@www.27in.tv>; from cjm2@27in.tv on Tue, Dec 11, 2001 at 01:36:44PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Dec 11, 2001 at 01:36:44PM -0500, cjm2@27in.tv wrote: > Hello, > > I am running 4.4-STABLE. I have an ipsec/ESP tunnel to another box. I am > trying to find out if there is any way to view the tcp/ip traffic (w/ > tcpdump) that is going over that tunnel. Not being able to view this > traffic is making troubleshooting some other issues rather difficult. I am not sure I understand this correctly. Obviously, if you can actually see the TCP information in the ESP packets, your tunnel is not providing much security. > My ifconfig reads: (Public ip's have been faked to protect the innocent.) > dc0: flags=8843 mtu 1500 > inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 > ether 00:c0:f0:4d:f6:9f > media: Ethernet autoselect (100baseTX) > status: active > ed0: flags=8843 mtu 1500 > inet 1.2.3.4 netmask 0xfffffc00 broadcast 255.255.255.255 > ether 00:00:e8:d7:ef:3c > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 > gif0: flags=8051 mtu 1280 > tunnel inet 1.2.3.4 --> 5.6.7.8 > inet 10.0.0.1 --> 192.168.0.1 netmask 0xffffff00 > > My ip is 10.0.0.1 and the remote ip is 192.168.0.1. As a test I setup a > ping to 192.168.0.1 > > "tcpdump -i ed0 proto 1" shows me the ESP packets It shouldn't. ESP is protocol 50. Protocol 1 is ICMP. > "tcpdump -i dc0 proto 1" shows me nothing. > "tcpdump -i gif0 proto 1" shows me nothing. In addition, no packets ever > seem to pass through gif0 (from a tcpdump point of view). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message