--- Begin Message ---
Hi.
I’m trying to debug a Strongswan config and wanted to verify that my GRE
traffic is being encapsulated properly by IPSec. “Tcpdump” to the rescue.
Well, almost.
So I was trying to use “ip xfrm state” to get the SPI and sessions keys, and
then run "tcpdump … -E spi@addr aes-cbc:key” but tcpdump doesn’t support
aes-cbc apparently (despite traffic on the list from 2004 threatening to add
support in 3.8.4).
So I tried to downgrade the encryption suite to “esp=null” and to use “-E
spi@addr none:” but I get the message:
tcpdump: can't parse filter expression: syntax error
Which isn’t particular specific.
I’m using CentOS 8 Stream, if that helps. Trying to tell if my tcpdump doesn’t
support -E in general, or if I’m just using it wrong.
If AES support isn’t baked in, I might have time to take a stab at patches in
the coming weeks, but for now I need to get GRE+IPSec tunneling delivered to my
boss.
Maybe even adding support for a mode where tcpdump runs “ip xfrm state” in a
socketpair or pipe and grovels out the SPI’s, addresses, cipher names, and
keys… I’m assuming that having a table to tuples for connections that you’re
not interested in doesn’t add any actual significant overhead other than a few
dozen bytes of storage for the tuple itself.
Can someone help me get jumpstarted here?
Thanks,
-Philip
--- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers