[Openswan Users] How to see the outgoing decrypted packets with
kernel 2.6 ?
Jacques Valot
jacquesvalot at hotmail.com
Wed Jun 29 16:08:14 CEST 2005
>From: Paul Wouters <paul at xelerance.com>
>To: Jacques Valot <jacquesvalot at hotmail.com>
>CC: users at openswan.org
>Subject: Re: [Openswan Users] How to see the outgoing decrypted packets
>with kernel 2.6 ?
>Date: Wed, 29 Jun 2005 14:57:54 +0200 (CEST)
>
>On Wed, 29 Jun 2005, Jacques Valot wrote:
>
>>>You need to run tcpdump on the ipsec0 interface, not the ethX interface,
>>>that
>>>I assume tcpdump uses when no interface is specified.
>>
>>You have right.
>>But, if I run the tcpdump command on the ipsec0 interface, I only see the
>>icmp echo request packets.
>>
>>without the KLIPS kernel module loaded :
>>- On eth0 interface, I see both ESP packets (incoming and outgoing) and
>>incoming decrypted packets.
>>- no ipsec interface
>>- The ping is OK.
>
>That is using NETKEY...
>
>>with the KLIPS kernel module loaded before run ipsec :
>>- On eth0 interface, I see both ESP packets (incoming and outgoing)
>>- On ipsec0 interface, I see outgoing decrypted packets.
>
>eh? You mean outgoing not-yet encrypted packets? Or incoming decrpyted
>packets?
>
>>- The ping doesn't worked.
>
>Are the NETKEY modules unloaded properly when using KLIPS?
>
>Did you disable NAT/MASQ? Check ip_forwarding? disable rp_filter?
>Any other kernel messages in the log?
>
>Paul
OK. I have unloaded the modules below before to load ipsec.ko (klips) module
and to rerun ipsec service :
ah4, esp4, ipcomp, sha1, des, aes-i586, ipsec
After this :
- On eth0 interface, I see both ESP packets (incoming and outgoing)
- On ipsec0 interface, I see outgoing decrypted packets AND incoming
decrypted packets too.
- The ping now works fine
For information :
# cat /proc/sys/net/ipv4/ip_forward
0
# cat /proc/sys/net/ipv4/conf/eth0/rp_filter
0
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.3.1 (klips)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: neptune [MISSING]
Does the machine have at least one non-private address? [FAILED]
#
I am not an ipsec specialist !
Do you thing this situation is correct ?
Jacques.
_________________________________________________________________
Ne cherchez plus, trouvez ! Avec le nouveau MSN Search.
http://search.msn.fr/
More information about the Users
mailing list