> OK, I received your post *after* my last post, in which I sniffed eth0 > for all packets related to protocols 50 & 51. > > Subsequently, I realized that my attempt only demonstrated contents of > packets for those protocols ;> > > So, I did same ping; but, now I sniffed the external (eth0 & wan1, *not* > ipsec0) interfaces on *both* ends for *ALL* packets (Note: *no* > expression), logged output to a file on each gateway/firewall for ten > (10) minutes of pinging, then: > > grep -i 'feed\|face\|dead\|beef' /tmp/dump.out > > On one side, there was one instance of 'feed'; but, analysis showed that > this was coincidental and between that gateway/firewall and some other > point on the internet. Otherwise, all output was clean and apparently > random. > > Is this a valid test?
Yes, this is a valid test. There are only a few things I can think of to test more completely: 1) Use a non-gateway system to sniff the traffic...this will guarantee you're getting a true picture of exactly what's on the wire 2) Decrypt the IPSec packets and verify they acually contain the expected data 3) Send 'in the clear' pings with the same or content to a unique host to verify your packet capturing and result extraction methods are working as expected You should at least be able to do #3 pretty easily. You'll have to decide if the extra verification provided by #1 and #2 are worth the hassle... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user