From owner-freebsd-net@FreeBSD.ORG Fri Mar 31 20:19:17 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3E9F16A400 for ; Fri, 31 Mar 2006 20:19:17 +0000 (UTC) (envelope-from ericx_lists@vineyard.net) Received: from smtp1.vineyard.net (a1.vineyard.net [204.17.195.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DADC43D48 for ; Fri, 31 Mar 2006 20:19:15 +0000 (GMT) (envelope-from ericx_lists@vineyard.net) Received: from localhost (loopback [127.0.0.1]) by smtp1.vineyard.net (Postfix) with ESMTP id 3EEC115818B5 for ; Fri, 31 Mar 2006 15:19:14 -0500 (EST) Received: from smtp1.vineyard.net ([127.0.0.1]) by localhost (ace1.vineyard.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 08773-01-8 for ; Fri, 31 Mar 2006 15:19:13 -0500 (EST) Received: from [204.17.195.104] (fortiva.vineyard.net [204.17.195.104]) by smtp1.vineyard.net (Postfix) with ESMTP id C623115818A5 for ; Fri, 31 Mar 2006 15:19:13 -0500 (EST) Message-ID: <442D8E98.6050903@vineyard.net> Date: Fri, 31 Mar 2006 15:18:32 -0500 From: "Eric W. Bates" User-Agent: Mozilla Thunderbird 1.0.7 (Windows/20050923) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET Subject: tcpdump and ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 20:19:17 -0000 This seems like a dumb question; but I wonder if one can use tcpdump to view the decrypted out flow from and esp tunnel? I have an established tunnel on machine 'firewall'. The tunnel is a route between net 10.128.10.0/24 and 192.168.10.0/24. 'firewall' has 192.168.10.1 as the ip on its internal interface. When I ping 10.128.10.1 using 192.168.10.1 as the source address, I can use tcpdump to view the esp packets via the external interface. Is there a way to use tcpdump to view the packets as they traverse from the tunnel to 192.168.10.1? I had no luck attaching tcpdump to the internal interface. By the same token, can I hook any of the traffic with ipfw? I suspect that if any of this traffic were leaving the machine, I would see it; but maybe not if 'firewall' itself is the destination? Thanks for your time.