Date: Wed, 12 Dec 2001 15:48:53 -0500 (EST) From: cjm2@27in.tv To: <freebsd-questions@freebsd.org> Cc: <cjclark@alum.mit.edu>, <cristjc@earthlink.net> Subject: Re: ipsec & tcpdump Message-ID: <2338.216.153.201.197.1008190133.squirrel@www.27in.tv> In-Reply-To: <2239.216.153.201.197.1008188320.squirrel@www.27in.tv> References: <2239.216.153.201.197.1008188320.squirrel@www.27in.tv>
next in thread | previous in thread | raw e-mail | index | archive | help
Okey... I now feel like the baffoon. I apologize for bothing everyone. I did another search on the mailing lists, although I'm not sure how I missed it the first time, I believe the answer to my question is right here: http://www.freebsd.org/cgi/getmsg.cgi?fetch=218225+220718+/usr/local/www/db/ text/2001/freebsd-security/20010422.freebsd-security For posterity and mailing lists archives on questions, what I appear to be looking for is enc(4). I'll give that a try and follow up if this turns out not to be the solution I am looking for. Thanks, --Chris > See below: > >> On Tue, Dec 11, 2001 at 01:36:44PM -0500, cjm2@27in.tv wrote: >>> Hello, >>> >>> I am running 4.4-STABLE. I have an ipsec/ESP tunnel to another box. >>> I am trying to find out if there is any way to view the tcp/ip >>> traffic (w/ tcpdump) that is going over that tunnel. Not being able >>> to view this traffic is making troubleshooting some other issues >>> rather difficult. >> >> I am not sure I understand this correctly. Obviously, if you can >> actually see the TCP information in the ESP packets, your tunnel is >> not providing much security. > >>From the standpoint of an intermediate network, yes. But my 4.4 box is >>an > end-point on that tunnel and by virtue of that is already able to see > all of the TCP information passing through that tunnel. What I would > like is a way to view that traffic passing over that interface as I > would any other interface on my box. Hiding that traffic from the > administrator of one of the end points seems to serve no purpose. > > If I run 'tcpdump -i ed0' and I start pinging another host, I will see > the icmp packets that originate from my box, and the return packets > coming back to my box. > > If I run 'tcpdump -i gif0' and I start pinging the host on the other > end of my tunnel, i see absolutely nothing. > >> >>> My ifconfig reads: (Public ip's have been faked to protect the >>> innocent.) dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> >>> mtu 1500 >>> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 >>> ether 00:c0:f0:4d:f6:9f >>> media: Ethernet autoselect (100baseTX) >>> status: active >>> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >>> inet 1.2.3.4 netmask 0xfffffc00 broadcast 255.255.255.255 >>> ether 00:00:e8:d7:ef:3c >>> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 >>> inet 127.0.0.1 netmask 0xff000000 >>> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 >>> tunnel inet 1.2.3.4 --> 5.6.7.8 >>> inet 10.0.0.1 --> 192.168.0.1 netmask 0xffffff00 >>> >>> My ip is 10.0.0.1 and the remote ip is 192.168.0.1. As a test I >>> setup a ping to 192.168.0.1 >>> >>> "tcpdump -i ed0 proto 1" shows me the ESP packets >> >> It shouldn't. ESP is protocol 50. Protocol 1 is ICMP. > > Touche... I made a mistake. If I run 'tcpdump -i ed0' I will see the > ESP packets, 'tcpdump -i XXX proto 1' where XXX is every single > interface on my system, will show absolutely nothing. > > Let me expand upon this a little more. The end-point on the other side > of the tunnel is a Linux box running FreeS/WAN. On the Linux box it > creates a new interface called 'ipsec0' (much like we create a gif0). > BUT, on the Linux box, one can type 'tcpdump -i ipsec0' and view the > TCP information of packets passing through that interface. > > I would simply like to be able to do the same on my FreeBSD box. > >> >>> "tcpdump -i dc0 proto 1" shows me nothing. >>> "tcpdump -i gif0 proto 1" shows me nothing. In addition, no packets >>> ever seem to pass through gif0 (from a tcpdump point of view). >> -- >> Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2338.216.153.201.197.1008190133.squirrel>