[Openswan Users] What is wrong: I can see clear text traffic from left to right

Michael Furman michael_furman at hotmail.com
Thu Mar 10 13:15:24 EST 2016 

Andy,
Using tcpdump  I can see each packet only once.

I discovered the following: the plain text appears only if I type on the other side than I capture the traffic (execute tcpdump).

So, I guess in this case it is still OK  (per your statement): "If you capture at some point outside your ipsec servers you'll see only encrypted traffic."

BTW, if it is FAQ you can create FAQ section on your site https://github.com/xelerance/Openswan/wiki

Thank you for your help,
  Michael


> Date: Thu, 10 Mar 2016 16:46:07 +0000
> From: andy at andynet.net
> To: michael_furman at hotmail.com
> CC: users at lists.openswan.org
> Subject: Re: [Openswan Users] What is wrong: I can see clear text traffic from left to right
> 
> You're seeing the ESP traffic after it's been decrypted. It's to do with the way that the packet
> capture hooks into the kernel.
> When using the netkey ipsec stack tcpdump will capture an incoming ESP packet twice, both
> before and after it's decrypted. But outgoing is only seen after encryption.
> 
> If you capture at some point outside your ipsec servers you'll see only encrypted traffic.
> 
> This gets asked often - see https://lists.strongswan.org/pipermail/users/2012-June/003197.html for example.
> 
> 
> On Thu, Mar 10, 2016 at 11:13:08AM +0200, Michael Furman wrote:
> > Dear Openswan people,I need your help. I have started POC to enable Openswan in our product.Unfortunately I can see clear text traffic from left to right so it is kind of he critical problem that will prevent me from using of Openswan in the production. I have configured Openswan on CentOS 6 using the following instructions: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html  The final configuration is below: conn my-tunnel    ike=3des-md5    esp=3des-md5    left=172.16.0.2    leftnexthop=%defaultroute    leftrsasigkey=0...ww==    right=172.16.0.1    rightnexthop=%defaultroute    rightrsasigkey=0s...rQ==    authby=rsasig    keyingtries=10    # load and initiate automatically    compress=no    auto=start  I have tested the connection on both sides:tcpdump -n -i eth0 esp or udp port 500 or udp port 4500tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes10:02:00.444491 IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x8204b310,seq=0x26425), length 12410:02:00.445414 IP 172.16.0.1 > 172.16.0.2: ESP(spi=0xa68b20ef,seq=0x34e1d), length 84  tcpdump -n -i eth0 esp or udp port 500 or udp port 4500tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes10:02:33.123685 IP 172.16.0.1 > 172.16.0.2: ESP(spi=0xa68b20ef,seq=0x34e4c), length 15610:02:33.132466 IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x8204b310,seq=0x26444), length 172   I suppose that any communication from left to right and vice versa will be encrypted by Openswan. I have started the chat server on the left: nc  -vv -l 172.16.0.2 1234 And then connected on the write: nc 172.16.0.2 1234  Unfortunately, when I capture the traffic using the following command I can see clear text traffic from left to right:tcpdump -vv -n -s0 -w ipsecchat.cap tcp port 1234  Please note that traffic from write to left is encrypted. What is wrong? Please help. 		 	   		  
> > -- 
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> > 
> 
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160310/51b3f057/attachment.html>

More information about the Users mailing list