From owner-freebsd-net@FreeBSD.ORG Fri Mar 31 22:28:24 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D0FC16A420 for ; Fri, 31 Mar 2006 22:28:24 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDD4543D69 for ; Fri, 31 Mar 2006 22:28:23 +0000 (GMT) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k2VMSKDZ005457 for ; Sat, 1 Apr 2006 00:28:21 +0200 Received: by smtp.zeninc.net (smtpd, from userid 1000) id 9BA513F17; Sat, 1 Apr 2006 00:28:13 +0200 (CEST) Date: Sat, 1 Apr 2006 00:28:13 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20060331222813.GA29047@zen.inc> References: <442D8E98.6050903@vineyard.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <442D8E98.6050903@vineyard.net> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: tcpdump and ipsec X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 31 Mar 2006 22:28:24 -0000 On Fri, Mar 31, 2006 at 03:18:32PM -0500, Eric W. Bates wrote: > This seems like a dumb question; but I wonder if one can use tcpdump to > view the decrypted out flow from and esp tunnel? > > I have an established tunnel on machine 'firewall'. > > The tunnel is a route between net 10.128.10.0/24 and 192.168.10.0/24. > > 'firewall' has 192.168.10.1 as the ip on its internal interface. > > When I ping 10.128.10.1 using 192.168.10.1 as the source address, I can > use tcpdump to view the esp packets via the external interface. > > Is there a way to use tcpdump to view the packets as they traverse from > the tunnel to 192.168.10.1? I had no luck attaching tcpdump to the > internal interface. > > By the same token, can I hook any of the traffic with ipfw? > > I suspect that if any of this traffic were leaving the machine, I would > see it; but maybe not if 'firewall' itself is the destination? You can do that by various ways: 1) Use the ESP decryption option of tcpdump. Of course, you'll have to provide the encryption key to tcpdump. 2) use enc0 support, which is actually pr kern/94829, and which should be included soon in kernel. Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com