tcpdump mailing list archives
Re: Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc)
From: Denis Ovsienko via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Thu, 6 Aug 2020 19:27:32 +0100
--- Begin Message --- From: Denis Ovsienko <denis () ovsienko info>
Date: Thu, 6 Aug 2020 19:27:32 +0100
On Thu, 6 Aug 2020 11:19:21 -0600 Philip Prindeville via tcpdump-workers <tcpdump-workers () lists tcpdump org> wrote:Hi. I’m trying to debug a Strongswan config and wanted to verify that my GRE traffic is being encapsulated properly by IPSec. “Tcpdump” to the rescue. Well, almost. So I was trying to use “ip xfrm state” to get the SPI and sessions keys, and then run "tcpdump … -E spi@addr aes-cbc:key” but tcpdump doesn’t support aes-cbc apparently (despite traffic on the list from 2004 threatening to add support in 3.8.4).Hello Philip. I had similar experience in 2019. If that's the tcpdump that comes with CentOS 8, that would likely be version 4.9.x. Please retest using tcpdump built from the git master branch, Guy had cleaned the ESP decoder up in early 2020. That among other things fixed the cipher name parsing, which may be the cause of the error. AFAIK the cipher name finally can be anything that OpenSSL recognises as such. -- Denis Ovsienko
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc) Philip Prindeville via tcpdump-workers (Aug 06)
- Re: Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc) Denis Ovsienko via tcpdump-workers (Aug 06)