Charles Steinkuehler wrote:
>
> > > Recent versions of tcpdump are smart enough to be able to dump
> > > the encrypted traffic going over the physical interface without being
> > > confused. You basically want to dump the raw traffic going over your
> > > external 'net, and verify protocol 50 packets are being sent/recieved,
> and
> > > that the packets don't contain anything that looks like your
> > > "feedfacedeadbeef" ascii string.
> >
> > This is where I am confused!
> >
> > On the DCD firewalls, we have the tcpdump.lrp included w/DCD -- version
> > 3.5. I have compiled v3.6.2 on my development box. Do *both* qualify
> > as ``Recent versions''?
>
> I don't know...I don't try to sniff IPSec packets on the gateway systems...I
> use a seperate box. Info should be in the FreeS/WAN list archives, or
> online docs...
>
> > If so, how do we accomplish what you outline in your last sentence?
>
> Um...dump the traffic from eth0, and verify you don't see any
> "feedfacedeadbeef" strings. You'll probably want to log everything, and
> verify you're seeing encrypted protocol 50 packets, and NOT seeing any
> unencrypted pings. For extra credit, you can use manual keying, provide
> tcpdump with the keys, and decrypt the IPSec traffic...
[ snip ]
OK, I received your post *after* my last post, in which I sniffed eth0
for all packets related to protocols 50 & 51.
Subsequently, I realized that my attempt only demonstrated contents of
packets for those protocols ;>
So, I did same ping; but, now I sniffed the external (eth0 & wan1, *not*
ipsec0) interfaces on *both* ends for *ALL* packets (Note: *no*
expression), logged output to a file on each gateway/firewall for ten
(10) minutes of pinging, then:
grep -i 'feed\|face\|dead\|beef' /tmp/dump.out
On one side, there was one instance of 'feed'; but, analysis showed that
this was coincidental and between that gateway/firewall and some other
point on the internet. Otherwise, all output was clean and apparently
random.
Is this a valid test?
What do you think?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
