[Openswan Users] Is there any way to capture packets from a 3DES-SHA1 tunnel?

[Paul Wouters]

On Thu, 11 Mar 2010, Whit Blauvelt wrote:

> Trying to troubleshoot a strange problem where some machines can do RDP
> across the tunnel from one LAN to the other but other's cannot. Using "ip
> xfrm monitor" or "iptraf" it's easy enough to see the general flow of
> packets, and iptraf even shows which LAN addresses are involved. But to see
> the packet exchange itself, the most promising way I can find would be if
> tcpdump with it's -E option supported the particular encryption protocol
> used, and at least by its man page, in this case it doesn't.

The -E option is mostly used in test harnass scenarios where you have a copy
of the private key to give to tcpdump.

What you want is to just monitor the decrypted stream. That should be possible
on either end with tcpdump. For NETKEY on the ethX interface, for KLIPS on the
ipsecX interface.

ip xfrm monitor shows policy/state changes (but not all due to the way it
interacts will pluto if I am correct), not packet flow.

Usually these things are MTU issues. If your RDP client can send smaller udp
packets that might help. You might also be able to specify an MTU of 1472
or so on the real ethernet interface to end up with slightly smaller packets.
(there is no clamping for udp and rdp uses udp, nottcp, or else you could
clamp the packet sizes to the mss)

Paul