Thread: [Ipsec-tools-devel] unencrypted traffic in tcpdump
Brought to you by:
mit_warlord,
netbsd
From: Matthias T. <mt...@gm...> - 2007-11-27 05:59:35
|
Moin, I use ipsec-tools and racoon to connect linux clients with an openbsd gateway. It works but if I use tcpdump or iptraf on the linux side I see unencrypted traffic on the interface. It looks like, that I see packages twice. Is this a known bug (or feature)? On the openbsd side I can't see any unencrypted traffic on the interface. I think i use ipsec-tools-0.6? under a 2.6.22 kernel. Many thanks Matthias |
From: Matthew G. <mg...@sh...> - 2007-11-27 09:21:06
|
Matthias Teege wrote: > Moin, > > I use ipsec-tools and racoon to connect linux clients with an openbsd > gateway. It works but if I use tcpdump or iptraf on the linux side I > see unencrypted traffic on the interface. It looks like, that I see > packages twice. Is this a known bug (or feature)? On the openbsd side > I can't see any unencrypted traffic on the interface. > > I think i use ipsec-tools-0.6? under a 2.6.22 kernel. > It just depends on where IPsec is hooking into the kernel. You are probably just seeing the outbound traffic before it gets intercepted for IPsec processing. If you dropped a protocol analyzer on the wire, I'm sure you would only see the traffic as ESP or AH packets. -Matthew |
From: VANHULLEBUS Y. <va...@fr...> - 2007-11-27 09:32:31
|
On Tue, Nov 27, 2007 at 05:59:38AM +0000, Matthias Teege wrote: > Moin, Hi. > I use ipsec-tools and racoon to connect linux clients with an openbsd > gateway. It works but if I use tcpdump or iptraf on the linux side I > see unencrypted traffic on the interface. It looks like, that I see > packages twice. Is this a known bug (or feature)? On the openbsd side > I can't see any unencrypted traffic on the interface. > > I think i use ipsec-tools-0.6? under a 2.6.22 kernel. I already noticed that some years ago, looks like incoming ESP packets are reinjected before libpcap hook, so you see incoming packets both as ESP and as decrypted packets. And you can even see them 3 times if you also activate NAT-T's UDP encapsulation :-) Yvan. |