From owner-freebsd-security Sun Sep 9 19:30: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from carbon.flatlan.net (carbon.berkeley.netdot.net [216.27.190.209]) by hub.freebsd.org (Postfix) with ESMTP id A92F337B408 for ; Sun, 9 Sep 2001 19:30:03 -0700 (PDT) Received: by carbon.flatlan.net (Postfix, from userid 101) id 5BFEA3C144; Sun, 9 Sep 2001 19:30:03 -0700 (PDT) Date: Sun, 9 Sep 2001 19:30:03 -0700 From: Nicholas Esborn To: freebsd-security@freebsd.org Subject: IPsec w/ gif tunnels question Message-ID: <20010909193003.A20775@flatlan.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hola, all. Is there any particular way to test whether a packet is successfully processed by the ipsec subsystem? I am writing a script to bring up gif tunnels between hosts communicating through transport-mode ipsec. I want to be able to see that traffic is being encrypted before setting up the tunnel. So far, I've come up with: 1) parsing SPD/SAD entries to see if any match 2) using tcpdump to watch for a packet my script sends, to verify that it is AH/ESP (ick) 3) using 'require' instead of 'use' in my SPD entries. This doesn't seem to allow racoon to communicate between machines, which doesn't surprise me. Is there some way racoon can get around this to establish keys? Thanks for any insight you may have. -nick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message