issue on decrypting ESP traffic whit tcpdump -E option

["Enrique Echeverria" <enriqueoctavio () gmail com>]

Hi members of this list:

I've had some trouble using tcpdump -E's option, and I would really
apretiate if some of you can help me (I'm sure some of you dealed with this
problem more than once)

The issue is as follows:

1.- I have a ESP tunnel between two hosts with public interfaces A.A.A.A and
B.B.B.B (host A.A.A.A is mine, the other is not). I'm using ipsec-tools and
racoon for raising up this tunnel.

2.- I have a local ip a.a.a.a which comunicates with a remote IP
b.b.b.bthrough the tunnel
A.A.A.A-B.B.B.B. The "little detail" is that a.a.a.a and A.A.A.A IP's are at
the same host, at distinct interfaces. In summary, mi host has the following
ip's cofigured: eth0->A.A.A.A and eht1:1->a.a.a.a. The tunnel comunication
works perfectly well (my problem arises when I nedd to capture the
unencripted traffic, as is explained in 3).

3.- I need to dump the unencrypted traffic between a.a.a.a and b.b.b.b into
a file, so ass to show some people a network problem this comunication is
having.

My OS is Linux Debian 1:3.3.5-13 (sarge), kernel 2.6.8-2-686-smp, and I'm
ussing ipsec-tools and raccon 0.5.2-1 from the stable release. I'm also
ussing tcpdump 3.8.3-5sarge1.

I've done the following tests/captures without any success:

1.- Inoncently, I  thought that the unencripted traffic could be captured at
the eht1:1 in my host, but the OS is smart enough to notice that once
decripted the traffic is "incomming", and It doesn't send it to the network
interface (if I execute a tcpdump -i eth1:1 b.b.b.b, I capture nothig)

2.- I also tested capturing traffic in eth0 interface, but being able to
capture only "one way" unentripted traffic (if I execute a tcpdump -i eth0
b.b.b.b, I capture only b.b.b.b -> a.a.a.a trafic, but at least
unencripted). I don't know why this happens, but I supponse that the order
in witch the routing tables, SPD, SAD are applied has something to do with
it .....

3. Im trying now to decript the ESP traffic between A.A.A.A and
B.B.B.Busing tcpdump -E's option, but without any success (I left this
option last,
because I knew it would be torublesome....).

I'll explain more in detail, 3.:

The tcpdump man page says it must be used as  "-E
spi@ipaddralgo:secret,...", what seems straightforward, but :

First of all, I executed "Setkey -D", so as to obtain the correct spi and
secret parameters, and y executed tcpdump in the following way:
"-E 0xa985fbe5@A.A.A.A  3des-cbc:0xXXXXXXX" (being sure that XXXXXXX is the
esp secret hex value).

This gave me a tcpdump sintax error, and the only way to avoid it, is
replacing with a ',' the space between both arguments (although this space
is strictly what I understand must be included, reading man page):
"-E 0xXXXX@A.A.A.A,3des-cbc:0xXXXXXXX".

This time, tcpdump runns, but it prints the following error "failed to
decode espsecret: 0xa985fbe5@A.A.A.A" and the traffic it captures is totally
encripted

The curious thing about this, is that if I repeat last, eliminating the ":",
or the "@", tcpdump doesn't print any syntax error, but when the first ESP
packet is captured, it prints the "failed to decode espsecret:
0xa985fbe5@A.A.A.A" error, and traffic is totally encripted again.

I also made sure that I'm running "RFC2406 ESP", as tcpdump man page says
that "RFC1827 ESP" can't be decripted....

So as to drop the possibity of IKE key re-negotiation problem, I tested it
in two other test linux boxes with manual keying (wihout racoon), without
success.....

I'm really stuck with this, and it's really important for me so as to
demostrate that some network problems that I'm having, are because an
application tunning on b.b.b.b is not working properlly (obviouslly people
on b.b.b.b side said they can't give me a traffic dump.......)

Had any of you successfully descripted a ESP tunnel ???? ... In this case,
what have you done ????
Had any of you successfully descripted a ESP tunnel whit tcpdump -E option
????.... In this case, what is the exact sintax you used ????
Had any of you successfully captured the unencripted traffic in another way,
with the same host's configuration I'm ussing ??? ..... In this case, what
have you done ????

Well, thank you VERY MUCH in addvandce for reading all my mail, hope thar
someone can help me, and hope I can help you on the future also .... this is
how this works...

Regards: Enrique
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.