> > Recent versions of tcpdump are smart enough to be able to dump > > the encrypted traffic going over the physical interface without being > > confused. You basically want to dump the raw traffic going over your > > external 'net, and verify protocol 50 packets are being sent/recieved, and > > that the packets don't contain anything that looks like your > > "feedfacedeadbeef" ascii string. > > This is where I am confused! > > On the DCD firewalls, we have the tcpdump.lrp included w/DCD -- version > 3.5. I have compiled v3.6.2 on my development box. Do *both* qualify > as ``Recent versions''?
I don't know...I don't try to sniff IPSec packets on the gateway systems...I use a seperate box. Info should be in the FreeS/WAN list archives, or online docs... > If so, how do we accomplish what you outline in your last sentence? Um...dump the traffic from eth0, and verify you don't see any "feedfacedeadbeef" strings. You'll probably want to log everything, and verify you're seeing encrypted protocol 50 packets, and NOT seeing any unencrypted pings. For extra credit, you can use manual keying, provide tcpdump with the keys, and decrypt the IPSec traffic... > Notice, that 192.168.1.254, in my first example, is a DCD > firewall/gateway with eth0 as the external interface. The DCD > firewall/gateway on the other end has wanpipe as external interface, so > I don't want to complicate matters -- right now -- with that variable ;> > > The fact that tcpdump output, for icmp on ipsec0 for this DCD > firewall/gateway, clearly shows ``feed face dead beef'' disturbs me ;< Unnecessarily so...ipsec0 is the "in-the-clear" interface for IPSec traffic. Un-encrypted traffic is routed to (and comes from) ipsec0. The kernel code encrypts outbound traffic from ipsec0, which eventually winds up being transmitted as protocol 50 (or 51) traffic on eth0 (or wan0, or whatever your upstream interface is). Recieve traffic is the same...it shows up encrypted on eth0, and is spit out un-encrypted by ipsec0. See the packet flows provided by Hugh Redelmeier at: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/firewall.html#dhr Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
