tcpdump mailing list archives
Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc)
From: Philip Prindeville via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Thu, 6 Aug 2020 11:19:21 -0600
--- Begin Message --- From: Philip Prindeville <philipp_subx () redfish-solutions com>
Date: Thu, 6 Aug 2020 11:19:21 -0600
Hi. I’m trying to debug a Strongswan config and wanted to verify that my GRE traffic is being encapsulated properly by IPSec. “Tcpdump” to the rescue. Well, almost. So I was trying to use “ip xfrm state” to get the SPI and sessions keys, and then run "tcpdump … -E spi@addr aes-cbc:key” but tcpdump doesn’t support aes-cbc apparently (despite traffic on the list from 2004 threatening to add support in 3.8.4). So I tried to downgrade the encryption suite to “esp=null” and to use “-E spi@addr none:” but I get the message: tcpdump: can't parse filter expression: syntax error Which isn’t particular specific. I’m using CentOS 8 Stream, if that helps. Trying to tell if my tcpdump doesn’t support -E in general, or if I’m just using it wrong. If AES support isn’t baked in, I might have time to take a stab at patches in the coming weeks, but for now I need to get GRE+IPSec tunneling delivered to my boss. Maybe even adding support for a mode where tcpdump runs “ip xfrm state” in a socketpair or pipe and grovels out the SPI’s, addresses, cipher names, and keys… I’m assuming that having a table to tuples for connections that you’re not interested in doesn’t add any actual significant overhead other than a few dozen bytes of storage for the tuple itself. Can someone help me get jumpstarted here? Thanks, -Philip
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc) Philip Prindeville via tcpdump-workers (Aug 06)
- Re: Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc) Denis Ovsienko via tcpdump-workers (Aug 06)