[Openswan Users] How to see the outgoing decrypted packets with kernel 2.6 ?

Jacques Valot jacquesvalot at hotmail.com
Wed Jun 29 16:08:14 CEST 2005 


>From: Paul Wouters <paul at xelerance.com>
>To: Jacques Valot <jacquesvalot at hotmail.com>
>CC: users at openswan.org
>Subject: Re: [Openswan Users] How to see the outgoing decrypted packets 
>with kernel 2.6 ?
>Date: Wed, 29 Jun 2005 14:57:54 +0200 (CEST)
>
>On Wed, 29 Jun 2005, Jacques Valot wrote:
>
>>>You need to run tcpdump on the ipsec0 interface, not the ethX interface, 
>>>that
>>>I assume tcpdump uses when no interface is specified.
>>
>>You have right.
>>But, if I run the tcpdump command on the ipsec0 interface, I only see the 
>>icmp echo request packets.
>>
>>without the KLIPS kernel module loaded :
>>- On eth0 interface, I see both ESP packets (incoming and outgoing) and 
>>incoming decrypted packets.
>>- no ipsec interface
>>- The ping is OK.
>
>That is using NETKEY...
>
>>with the KLIPS kernel module loaded before run ipsec :
>>- On eth0 interface, I see both ESP packets (incoming and outgoing)
>>- On ipsec0 interface, I see outgoing decrypted packets.
>
>eh? You mean outgoing not-yet encrypted packets? Or incoming decrpyted
>packets?
>
>>- The ping doesn't worked.
>
>Are the NETKEY modules unloaded properly when using KLIPS?
>
>Did you disable NAT/MASQ? Check ip_forwarding? disable rp_filter?
>Any other kernel messages in the log?
>
>Paul

OK. I have unloaded the modules below before to load ipsec.ko (klips) module 
and to rerun ipsec service :
ah4, esp4, ipcomp, sha1, des, aes-i586, ipsec

After this :
- On eth0 interface, I see both ESP packets (incoming and outgoing)
- On ipsec0 interface, I see outgoing decrypted packets AND incoming 
decrypted packets too.
- The ping now works fine

For information :
# cat /proc/sys/net/ipv4/ip_forward
0
# cat /proc/sys/net/ipv4/conf/eth0/rp_filter
0
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.3.1 (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: neptune                 [MISSING]
   Does the machine have at least one non-private address?      [FAILED]
#

I am not an ipsec specialist !
Do you thing this situation is correct ?

Jacques.

_________________________________________________________________
Ne cherchez plus, trouvez ! Avec le nouveau MSN Search. 
http://search.msn.fr/

More information about the Users mailing list