> Anyway, I have a tunnel between two (2) Dachstein-CD firewall/gateways, > seperated by the big, bad internet ;> > > I remain confused, however, *how* to test the encryption. Yes, I > understand how, if both boxes were local and I could place a 3rd in > between; but, I cannot do that here. > > While I'm on 192.168.123.110 (not a DCD firewall/gateway) I do this: > > ping -p feedfacedeadbeef 192.168.1.20 > <snip> > > Yes, I know that the FreeS/WAN FAQ emphatically states that this > scenario, testing with tcpdump on either gateway, will be confusing; > but, however else can I test this setup?
Well, your existing tests have shown your network is connected, so what you really need to verify is that the data between your endpoints is really encrypted. Recent versions of tcpdump are smart enough to be able to dump the encrypted traffic going over the physical interface without being confused. You basically want to dump the raw traffic going over your external 'net, and verify protocol 50 packets are being sent/recieved, and that the packets don't contain anything that looks like your "feedfacedeadbeef" ascii string. If you can't get a recent enough tcpdump (I haven't had need to test IPSec this way), if your upstream link is ethernet (ie cable/xDSL), you can "listen in" on the traffic even if you've only got one IP. Just hook a system with an ethernet NIC up to your upstream link (you'll probably need a 'hublet' or similar to get all 3 NIC's talking)...another LEAF system will work OK. Instead of configuring the external interface on your test box, just enable it with "ip link set dev eth0 up" and run tcpdump. The interface will go into promiscuous mode, and recieve all traffic, even though it dosn't have an assigned IP, allowing you to sniff the actual traffic on the wire. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user