Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc)

[Philip Prindeville via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Philip Prindeville <philipp_subx () redfish-solutions com>
>
> Date: Thu, 6 Aug 2020 11:19:21 -0600
>
> Hi.
>
> I’m trying to debug a Strongswan config and wanted to verify that my GRE traffic is being encapsulated properly by 
> IPSec.  “Tcpdump” to the rescue.  Well, almost.
>
> So I was trying to use “ip xfrm state” to get the SPI and sessions keys, and then run "tcpdump … -E spi@addr 
> aes-cbc:key” but tcpdump doesn’t support aes-cbc apparently (despite traffic on the list from 2004 threatening to add 
> support in 3.8.4).
>
> So I tried to downgrade the encryption suite to “esp=null” and to use “-E spi@addr none:” but I get the message:
>
> tcpdump: can't parse filter expression: syntax error
>
> Which isn’t particular specific.
>
> I’m using CentOS 8 Stream, if that helps.  Trying to tell if my tcpdump doesn’t support -E in general, or if I’m just 
> using it wrong.
>
> If AES support isn’t baked in, I might have time to take a stab at patches in the coming weeks, but for now I need to 
> get GRE+IPSec tunneling delivered to my boss.
>
> Maybe even adding support for a mode where tcpdump runs “ip xfrm state” in a socketpair or pipe and grovels out the 
> SPI’s, addresses, cipher names, and keys…  I’m assuming that having a table to tuples for connections that you’re not 
> interested in doesn’t add any actual significant overhead other than a few dozen bytes of storage for the tuple itself.
>
> Can someone help me get jumpstarted here?
>
> Thanks,
>
> -Philip
>
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers