From owner-freebsd-questions Wed Dec 12 12:19: 0 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.27in.tv (roc-66-24-112-7.rochester.rr.com [66.24.112.7]) by hub.freebsd.org (Postfix) with ESMTP id 816FA37B419 for ; Wed, 12 Dec 2001 12:18:42 -0800 (PST) Received: (from root@localhost) by mail.27in.tv (8.11.6/8.11.6) id fBCKIfR74175; Wed, 12 Dec 2001 15:18:41 -0500 (EST) (envelope-from cjm2@27in.tv) Received: from 27in.tv (localhost [127.0.0.1]) by mail.27in.tv (8.11.6/8.11.6av) with SMTP id fBCKIeP74165; Wed, 12 Dec 2001 15:18:40 -0500 (EST) (envelope-from cjm2@27in.tv) From: cjm2@27in.tv Received: from 216.153.201.197 (SquirrelMail authenticated user cjm2) by www.27in.tv with HTTP; Wed, 12 Dec 2001 15:18:40 -0500 (EST) Message-ID: <2239.216.153.201.197.1008188320.squirrel@www.27in.tv> Date: Wed, 12 Dec 2001 15:18:40 -0500 (EST) Subject: Re: ipsec & tcpdump To: Importance: Normal X-MSMail-Priority: Normal X-Priority: 3 In-Reply-To: <20011212115317.C487@gohan.cjclark.org> References: <20011212115317.C487@gohan.cjclark.org> Cc: , X-Mailer: SquirrelMail (version 1.2.0 [rc2]) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG See below: > On Tue, Dec 11, 2001 at 01:36:44PM -0500, cjm2@27in.tv wrote: >> Hello, >> >> I am running 4.4-STABLE. I have an ipsec/ESP tunnel to another box. >> I am trying to find out if there is any way to view the tcp/ip traffic >> (w/ tcpdump) that is going over that tunnel. Not being able to view >> this traffic is making troubleshooting some other issues rather >> difficult. > > I am not sure I understand this correctly. Obviously, if you can > actually see the TCP information in the ESP packets, your tunnel is not > providing much security. From the standpoint of an intermediate network, yes. But my 4.4 box is an end-point on that tunnel and by virtue of that is already able to see all of the TCP information passing through that tunnel. What I would like is a way to view that traffic passing over that interface as I would any other interface on my box. Hiding that traffic from the administrator of one of the end points seems to serve no purpose. If I run 'tcpdump -i ed0' and I start pinging another host, I will see the icmp packets that originate from my box, and the return packets coming back to my box. If I run 'tcpdump -i gif0' and I start pinging the host on the other end of my tunnel, i see absolutely nothing. > >> My ifconfig reads: (Public ip's have been faked to protect the >> innocent.) dc0: flags=8843 mtu >> 1500 >> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 >> ether 00:c0:f0:4d:f6:9f >> media: Ethernet autoselect (100baseTX) >> status: active >> ed0: flags=8843 mtu 1500 >> inet 1.2.3.4 netmask 0xfffffc00 broadcast 255.255.255.255 >> ether 00:00:e8:d7:ef:3c >> lo0: flags=8049 mtu 16384 >> inet 127.0.0.1 netmask 0xff000000 >> gif0: flags=8051 mtu 1280 >> tunnel inet 1.2.3.4 --> 5.6.7.8 >> inet 10.0.0.1 --> 192.168.0.1 netmask 0xffffff00 >> >> My ip is 10.0.0.1 and the remote ip is 192.168.0.1. As a test I setup >> a ping to 192.168.0.1 >> >> "tcpdump -i ed0 proto 1" shows me the ESP packets > > It shouldn't. ESP is protocol 50. Protocol 1 is ICMP. Touche... I made a mistake. If I run 'tcpdump -i ed0' I will see the ESP packets, 'tcpdump -i XXX proto 1' where XXX is every single interface on my system, will show absolutely nothing. Let me expand upon this a little more. The end-point on the other side of the tunnel is a Linux box running FreeS/WAN. On the Linux box it creates a new interface called 'ipsec0' (much like we create a gif0). BUT, on the Linux box, one can type 'tcpdump -i ipsec0' and view the TCP information of packets passing through that interface. I would simply like to be able to do the same on my FreeBSD box. > >> "tcpdump -i dc0 proto 1" shows me nothing. >> "tcpdump -i gif0 proto 1" shows me nothing. In addition, no packets >> ever seem to pass through gif0 (from a tcpdump point of view). > -- > Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message