<br>I looked in /var/log/messages and all it seems to record is that there's a change to a config file. /var/log/auth.log shows each step of the establishment and what its doing, but it doesn't seem to be repeating itself in that regard. I cant say i know entirely what to look for, in terms of a bouncing connection. ipsec auto --status doesnt have much more either than just the establishment of the connection.<br>
<br>In the ipsec config file i've set plutodebug="all"<br><br>Thanks Paul,<br><br>Ryan<br><br><div class="gmail_quote">On Fri, Jul 16, 2010 at 1:14 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">On Fri, 16 Jul 2010, Ryan McLeod wrote:<br>
<br>
You can only be leaking packets if your IPsec tunnel continiously bounces up and down.<br>
This should be apparent in the normal logs. That should be fixed.<br>
<br>
The stack itself cannot possibly be leaking packets if a policy has been negotiated<br>
and put in place.<br>
<br>
Paul<br>
<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Date: Fri, 16 Jul 2010 13:00:55 -0400<br>
From: Ryan McLeod <<a href="mailto:r.mcleod20@gmail.com" target="_blank">r.mcleod20@gmail.com</a>><br>
To: Paul Wouters <<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>><br>
Subject: Re: [Openswan Users] seeing a mix of TCP and ESP traffic. openswan to<br>
openswan<div><div></div><div class="h5"><br>
<br>
I've stuck a virtual machine in the middle of my openswan to openswan IPSec vpn. Aside from ESP traffic I do see the occasional TCP<br>
packet. Ultimately I would like to see only ESP traffic (which is the case for openswan to Cisco ASA). These tcp packets are marked with<br>
true source and destination IPs: 10.10.10.2 and 192.168.1.5. The wireshark info column says for one of them: search-agent > 46687 [SYN,<br>
ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS. Other TCPs start with: 46687 > search agent. Andhave different flags: psh ack, fin ack, etc.<br>
<br>
I've tried adding iptables -A OUTPUT -j DROP && iptables -A INPUT -j DROP as sort of a deny any any, but that hasnt really worked. i've<br>
also tried -P instead of -A for those rules.<br>
<br>
Any suggestion, insight on where to take this is appreciated.<br>
<br>
Ryan<br>
<br>
On Wed, Jul 14, 2010 at 3:53 PM, Ryan McLeod <<a href="mailto:r.mcleod20@gmail.com" target="_blank">r.mcleod20@gmail.com</a>> wrote:<br>
So sniffing on openswan 1 still. For 1 imcp there are 5 packets. First is an ICMP request, then an ESP(request as its coming<br>
from the other openswan device), an ICMP request, an ESP(reply, going to the other openswan device), and then an icmp reply.<br>
<br>
Ryan<br>
<br>
<br>
On Wed, Jul 14, 2010 at 3:39 PM, Paul Wouters <<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>> wrote:<br>
On Wed, 14 Jul 2010, Ryan McLeod wrote:<br>
<br>
It's just the order ill see them in. Right now my net cat send is failing, as it goes over an asa, which likes to<br>
drop things after a reload.<br>
So i see a tcp, an esp, 2 tcp, an esp, a tcp, 2 arps, a tcp, an esp, then a tcp, and then the connection closes.<br>
<br>
I was thinking along the lines of: an esp packet would come in, and get decrypted so I would see one tcp per each<br>
esp coming in. Ultimately<br>
what i want is all traffic between these two encrypted.<br>
<br>
But basically what you're saying is what i am seeing is normal?<br>
<br>
<br>
No, it does not look normal.<br>
<br>
I don't know what is happening. I'd recommend using ping and ensuring you send a known<br>
amount of packets. netcat might start retransmitting etc.<br>
<br>
Paul<br>
<br>
<br>
<br>
On Wed, 14 Jul 2010, Ryan McLeod wrote:<br>
<br>
<br>
I've got two ubuntu vms testing openswan to openswan in a site to site configuration, with a host on each side.<br>
<br>
Host 1 ------------------ Openswan1==tunnel==Openswan2-----------------Host2<br>
192.168.1.5 x.x1.1 11.11.11.1 11.11.11.2 10.10.10.1 10.10.10.2<br>
<br>
When i send data via netcat from Host2 to Host1, im sniffing with wireshark on 11.11.11.1 on the openswan1 machine. And what<br>
i'll see is an ESP<br>
packet for 11.11.11.2 to 11.11.11.1 then two TCP packet that are 10.10.10.2 to 192.168.1.5. It's not in a 1 by one manner.<br>
There will often be<br>
two TCP then one ESP packets in the stream.<br>
<br>
Is this behavour normal? I would expect all the traffic to be seen as encrypted ESP data.<br>
<br>
<br>
With NETKEY, you will see with tcpdump:<br>
- outgoing unencrpyted packets<br>
- incoming encrypted packets<br>
- incoming decrypted packets<br>
<br>
You will not see outgoing encrypted packets.<br>
<br>
I dont understand your 2-1 mapping, unless you are counting the<br>
incoming encrypted + decryped as 2 packets instead of 1.<br>
<br>
Paul<br>
<br>
<br>
<br>
</div></div></blockquote>
</blockquote></div><br>