[Openswan Users] Testing ipsec connection and confirming encryption

Wed Aug 24 02:33:11 EDT 2011

Thank you very much! That's exactly what I needed. For those who find this post in google, the correct syntax for iptables that worked for me was this:

iptables -A INPUT -s <peer IP> -m policy --dir in --pol ipsec -m multiport -p tcp --dports <whatever ports you want opened> -j ACCEPT

This policy is a bit more restrictive than the one Paul suggested.

I tested it with the tunnel up (ports are open) and tunnel down (ports are blocked).

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: Tuesday, August 23, 2011 1:28 PM
> To: Kevin Keane
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Testing ipsec connection and confirming
> encryption
> 
> On Tue, 23 Aug 2011, Kevin Keane wrote:
> 
> > Both machines are running CentOS 5.6. Running pluto and the netkey stack.
> >
> > Three questions:
> >
> > - Is there a tool that shows me that traffic is encrypted? Something like an
> ipsec-aware traceroute maybe?
> 
> tcpdump can show it, but needs a human really. As you will see incoming
> encrypted, incoming decrypted and outgoing plaintext. You will not see
> outgoing encrypted.
> 
> You can prob see packet count in "ip xfrm state" telling you about crypted
> packet count.
> 
> > - Is there a way to set up iptables rules to reject all unencrypted traffic
> (except to ports 500 and 4500 of course)?
> 
> yes. but due to the issue I describe above, you need to use -m ipsec as a policy
> for matching an ACCEPT rule (which should then automatically also allow the
> decrypted packet if I'm right)
> 
> > - Is there a nagios plugin that would let me monitor tunnel traffic, and alert
> me about any unexpected cleartext traffic?
> 
> The easiest is to DROP all unencrypted traffic so if the tunnel goes down:
> 1) there are no leaks
> 2) simple connectivity checks from nagios will work without ipsec support
> 
> Paul