Re: [Ipsec-tools-devel] (SOLVED) How to watch the contents of ESP packets?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

The problem was in the other side!

They asked me to configure a GRE tunnel and they were using IPIP
encapsulation...may them rot in hell!

2006/11/19, Eduard GV <edu...@gm...>:
> Hi all, this may seem a newbie question,=85but I'm stuck=85
>
> Brief version:
>
> How can I watch the contents of an incoming ESP packet (being in the
> box that has established the tunnel)?
>
> Extended version:
>
> I've been trying to configure a tunnel with a distant office from
> which I can't get any kind of information (about their
> hardware/software, pings are not allowed, etc.). I only know their
> public IP (let's say a.b.c.d) and their tunnel side's IP (1.2.3.4). In
> the same way, my IPs are: e.f.g.h and 1.2.3.5.
>
> We are supposed to be exchanging multicast RIPv2 packets with routing
> information about each other side's private ranges. I use the same
> machine (e.f.g.h) for tunnelling IPsecuring and routing. But neither
> them, nor my router are learning those routes. I can see ESP packets
> going in and out of my public interface every 30s, as it is expected
> from RIP (I'm receiving  and sending RIP messages, but they seem not
> to have effect).
>
> I would like to watch the contents of those packets so that I can see
> where the problem is. How can I know if those packets are right?
> Should I see unencrypted packets when sniffing the new tun0 interface?
> I can see the packets I send, but I can't see any packets coming from
> the other side (although ESP packets are arriving).
>
>
> --- The tunnel is made with:
> ip tunnel add name tun0 mode gre remote a.b.c.d local e.f.g.h ttl 255
> ifconfig tun0 up 1.2.3.5 netmask 255.255.255.252 pointopoint 1.2.3.4
> mtu 1500 multicast
> ----
> IPsec has been properly established (I see ESP messages), though I
> obtain a "such policy does not already exist" error (which I don't
> think is important,=85right?)
> ---racoon.conf
> path pre_shared_key "/etc/racoon/psk.txt";
> path certificate "/etc/racoon/certs";
>
> listen {
>         isakmp e.f.g.h [500];
>         isakmp_natt e.f.g.h [4500];
> }
>
> remote a.b.c.d {
>         exchange_mode main;
>         peers_identifier address;
>         my_identifier address;
>         nat_traversal on;
>         proposal {
>                 encryption_algorithm des;
>                 hash_algorithm md5;
>                 authentication_method pre_shared_key;
>                 dh_group 1;
>                 lifetime time 10000 sec;
>         }
>         generate_policy on;
> }
> sainfo address e.f.g.h/32[any] any address a.b.c.d/32[any] any {
>         lifetime time 3600 sec;
>         encryption_algorithm des;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate;
> }
> ----
>