Date: Wed, 12 Dec 2001 15:18:40 -0500 (EST) From: cjm2@27in.tv To: <cjclark@alum.mit.edu> Cc: <cristjc@earthlink.net>, <freebsd-questions@freebsd.org> Subject: Re: ipsec & tcpdump Message-ID: <2239.216.153.201.197.1008188320.squirrel@www.27in.tv> In-Reply-To: <20011212115317.C487@gohan.cjclark.org> References: <20011212115317.C487@gohan.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
See below: > On Tue, Dec 11, 2001 at 01:36:44PM -0500, cjm2@27in.tv wrote: >> Hello, >> >> I am running 4.4-STABLE. I have an ipsec/ESP tunnel to another box. >> I am trying to find out if there is any way to view the tcp/ip traffic >> (w/ tcpdump) that is going over that tunnel. Not being able to view >> this traffic is making troubleshooting some other issues rather >> difficult. > > I am not sure I understand this correctly. Obviously, if you can > actually see the TCP information in the ESP packets, your tunnel is not > providing much security. From the standpoint of an intermediate network, yes. But my 4.4 box is an end-point on that tunnel and by virtue of that is already able to see all of the TCP information passing through that tunnel. What I would like is a way to view that traffic passing over that interface as I would any other interface on my box. Hiding that traffic from the administrator of one of the end points seems to serve no purpose. If I run 'tcpdump -i ed0' and I start pinging another host, I will see the icmp packets that originate from my box, and the return packets coming back to my box. If I run 'tcpdump -i gif0' and I start pinging the host on the other end of my tunnel, i see absolutely nothing. > >> My ifconfig reads: (Public ip's have been faked to protect the >> innocent.) dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu >> 1500 >> inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 >> ether 00:c0:f0:4d:f6:9f >> media: Ethernet autoselect (100baseTX) >> status: active >> ed0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 >> inet 1.2.3.4 netmask 0xfffffc00 broadcast 255.255.255.255 >> ether 00:00:e8:d7:ef:3c >> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 >> inet 127.0.0.1 netmask 0xff000000 >> gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 >> tunnel inet 1.2.3.4 --> 5.6.7.8 >> inet 10.0.0.1 --> 192.168.0.1 netmask 0xffffff00 >> >> My ip is 10.0.0.1 and the remote ip is 192.168.0.1. As a test I setup >> a ping to 192.168.0.1 >> >> "tcpdump -i ed0 proto 1" shows me the ESP packets > > It shouldn't. ESP is protocol 50. Protocol 1 is ICMP. Touche... I made a mistake. If I run 'tcpdump -i ed0' I will see the ESP packets, 'tcpdump -i XXX proto 1' where XXX is every single interface on my system, will show absolutely nothing. Let me expand upon this a little more. The end-point on the other side of the tunnel is a Linux box running FreeS/WAN. On the Linux box it creates a new interface called 'ipsec0' (much like we create a gif0). BUT, on the Linux box, one can type 'tcpdump -i ipsec0' and view the TCP information of packets passing through that interface. I would simply like to be able to do the same on my FreeBSD box. > >> "tcpdump -i dc0 proto 1" shows me nothing. >> "tcpdump -i gif0 proto 1" shows me nothing. In addition, no packets >> ever seem to pass through gif0 (from a tcpdump point of view). > -- > Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2239.216.153.201.197.1008188320.squirrel>