Discussion:
question about -E parameter decrypting esp packets
Torsten Krah
2009-02-19 19:17:56 UTC
Permalink
Hi,

i am forcing some problems with my ipsec tunnel and want to encrypt the real
esp traffic going over the wire.

I did succeed only to 50% because a ping looks like this:

IP A > B: ESP(spi=0xf33ec601,seq=0x1dd), length 164
IP B > A: ESP(spi=0x089882f5,seq=0x1e3), length 164

Trying to use -E (using keys from setkey -D) i can "decrypt" the packet from
"B->A", the ping reply.

But i am not able to decrypt the ping request.

Command used:

Doing a ping to 192.168.96.24 i issue this command:

tcpdump -i eth3 -E "***@192.168.96.24
0x11cc1dbe3de5cb263ce1bc05cd1811abbce880f34a23a7cc" icmp

0xf33ec601 is the spi parameter for tunnel A -> B, echo request packets., the
0x.... after that is the dynamic calculated esp key taking from setkey output.

I would expect to see my request, but instead the reply packets are printed
out - confusing.

Can anyone help me with that? i guess i am doing something wrong here?

thx

Torsten
--
Bitte senden Sie mir keine Word- oder PowerPoint-AnhÀnge.
Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html

Really, I'm not out to destroy Microsoft. That will just be a
completely unintentional side effect."
-- Linus Torvalds
Michael Richardson
2009-02-20 01:35:04 UTC
Permalink
This post might be inappropriate. Click to display it.
Torsten Krah
2009-02-20 09:29:35 UTC
Permalink
Post by Michael Richardson
First, are you capturing the entire packet?
Hm what do you mean with "entire" packet? How do i know this?
The command i have used i told - have i have to do something more to get the
entire dump?
Post by Michael Richardson
Torsten> 0x11cc1dbe3de5cb263ce1bc05cd1811abbce880f34a23a7cc" icmp
Second, are you using "netkey" (built-in kernel IPsec)?
Yes i am using netkey - tried the klips stack but can't get virtual nets only
done through NETMAP and DNAT/SNAT targets work (kernel 2.6.28.6, openswan
2.6.20) - racoon + netkey does work.
Post by Michael Richardson
If so, then you lose, because they never provided tcpdump hooks for
both before and after (and in between) for the layers of the tunnels.
You see everything.
Have i have to see everything or i am going to not see all? I am confused
about your answer here.
Post by Michael Richardson
tcpdump -E is used extensively by the Openswan KLIPS regression
testing system, which is part of every source tree, if you want more
examples than are in tcpdump/tests
Thx for this hint, i am looked already there but using the examples there i
can't get my packets decrypted, seems like there my capture file is not whats
tcpdump expects.
--
Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge.
Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html

Really, I'm not out to destroy Microsoft. That will just be a
completely unintentional side effect."
-- Linus Torvalds
Arien Vijn
2009-02-20 09:38:45 UTC
Permalink
Post by Torsten Krah
Post by Michael Richardson
First, are you capturing the entire packet?
Hm what do you mean with "entire" packet? How do i know this?
The command i have used i told - have i have to do something more to get the
entire dump?
The snap length is set to 68 bytes by default on most OSes. That is
enough to capture IP, ICMP, TCP and UDP. To capture the whole frame
you need to run with: -s 0.

-- Arien
Torsten Krah
2009-02-20 09:58:40 UTC
Permalink
To capture the whole frame  
you need to run with: -s 0.
thx for this hint - that was my mistake *sigh* - should have remembered this
...
thx - it works now.

Torsten
--
Bitte senden Sie mir keine Word- oder PowerPoint-Anhänge.
Siehe http://www.gnu.org/philosophy/no-word-attachments.de.html

Really, I'm not out to destroy Microsoft. That will just be a
completely unintentional side effect."
-- Linus Torvalds
Michael Richardson
2009-02-20 15:42:29 UTC
Permalink
This post might be inappropriate. Click to display it.
Loading...