[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)
mcr at sandelman.ca
Tue Nov 16 20:51:03 EST 2010
>>>>> "Kevin" == Kevin Wilson <wkevils at gmail.com> writes:
Kevin> I want to verify one point - and it could be that I am wrong at it:
Kevin> tcpdump -E will **not** decrypt ESP when using netkey (built-in kernel
Kevin> IPsec). This will work only with klips.
tcpdump -E, with the right keys, will decrypt any ESP packet that
tcpdump can capture. You could be sniffing traffic from the network
between a Cisco VPN3K and a windows7 machine... if you have the keys,
you can decrypt.
Kevin> Am i right about it ?
The major difference between netkey and KLIPS is that KLIPS gives you
very clear capture points:
"eth1" (outside interface) capture is always encrypted.
"ipsec0" interface is already/not-yet encrypted.
I believe that the capture points in NETKEY are such that outgoing
traffic is seen twice (one encrypted, one clear), and incoming traffic
is only seen when encrypted.
Kevin> This is what I understand from http://seclists.org/tcpdump/2009/q1/87.
so, that's an email from me, where I say what I just said.
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
More information about the Users