[Openswan Users] Testing ipsec connection and confirming encryption

Paul Wouters paul at xelerance.com
Tue Aug 23 16:28:02 EDT 2011

On Tue, 23 Aug 2011, Kevin Keane wrote:

> Both machines are running CentOS 5.6. Running pluto and the netkey stack.
> Three questions:
> - Is there a tool that shows me that traffic is encrypted? Something like an ipsec-aware traceroute maybe?

tcpdump can show it, but needs a human really. As you will see incoming encrypted, incoming decrypted and
outgoing plaintext. You will not see outgoing encrypted.

You can prob see packet count in "ip xfrm state" telling you about crypted packet count.

> - Is there a way to set up iptables rules to reject all unencrypted traffic (except to ports 500 and 4500 of course)?

yes. but due to the issue I describe above, you need to use -m ipsec as a policy for matching
an ACCEPT rule (which should then automatically also allow the decrypted packet if I'm right)

> - Is there a nagios plugin that would let me monitor tunnel traffic, and alert me about any unexpected cleartext traffic?

The easiest is to DROP all unencrypted traffic so if the tunnel goes down:
1) there are no leaks
2) simple connectivity checks from nagios will work without ipsec support


More information about the Users mailing list