Re: Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc)

[Denis Ovsienko via tcpdump-workers <tcpdump-workers () lists tcpdump org>]

> --- Begin Message ---
>
>
> From: Denis Ovsienko <denis () ovsienko info>
>
> Date: Thu, 6 Aug 2020 19:27:32 +0100
>
> On Thu, 6 Aug 2020 11:19:21 -0600
> Philip Prindeville via tcpdump-workers
> <tcpdump-workers () lists tcpdump org> wrote:
>
> > Hi.
> >
> > I’m trying to debug a Strongswan config and wanted to verify that my
> > GRE traffic is being encapsulated properly by IPSec.  “Tcpdump” to
> > the rescue.  Well, almost.
> >
> > So I was trying to use “ip xfrm state” to get the SPI and sessions
> > keys, and then run "tcpdump … -E spi@addr aes-cbc:key” but tcpdump
> > doesn’t support aes-cbc apparently (despite traffic on the list from
> > 2004 threatening to add support in 3.8.4).
>
> Hello Philip.
>
> I had similar experience in 2019. If that's the tcpdump that comes with
> CentOS 8, that would likely be version 4.9.x. Please retest using
> tcpdump built from the git master branch, Guy had cleaned the ESP
> decoder up in early 2020. That among other things fixed the cipher
> name parsing, which may be the cause of the error. AFAIK the cipher
> name finally can be anything that OpenSSL recognises as such.
>
> -- 
>     Denis Ovsienko
>
> --- End Message ---
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers () lists tcpdump org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers