How to see outgoing ESP packets in tcpdump before they get encrypted

user3336687 picture user3336687 · Feb 21, 2014 · Viewed 11.8k times · Source

I have a setup having Ipsec Tunnel between two end systems. When I capture packets on outgoing interface e.g eth0 I can only see encrypted ESP packets going out of my system. I have to go and look at the receiving end to see what was actually transmitted i.e on the receiving end I can see packets after decryption. similarly for the ack sent by receiver. How it works actually in the linux kernel ? Is there a way to see the packets on sender side in tcpdump before they get encrypted ?

Answer

Appleman1234 picture Appleman1234 · Feb 28, 2014

You have three questions in your question :

  1. How to see outgoing ESP packets in tcpdump before they get encrypted ?
  2. How it works actually in the linux kernel ?
  3. Is there a way to see the packets on sender side in tcpdump before they get encrypted ?

The answer to the third question is

It depends on your kernel and which implementation you are using. If you are using KLIPS in 2.4 Kernel as part of any of the *swan solutions, then Yes.

Otherwise if you are using the 2.6 kernel which uses the KAME / *BSD model then

No, unless you change your Ipssec or iptables configuration so that you send the packets to another interface unencrypted and then forward the unencrypted packets to an interface which they will be encrypted on.

The answer to the first question is change your iptables configuration and IPSec configuration.

  1. To send the data from one interface to another interface on the same host.
  2. To setup forwarding of data from that second interface to your destination
  3. configure the ip address of the second interface in the security policy to create the tunnel on the second interface.

This way could can tcpdump on the encrypted interface without changing anything and before the data is encrypted.

For the KLIPS and 2.4 kernel it is just as simple as specific the interface in tcpdump as ipsec0 using the -i switch.

Other options to see the data unencrypted involve using tcpdump with -E flag and relevant parameters (see man page) which decrypts the data after it is encrypted or to use tcpdump to capture the encrypted data and then decrypt it in Wireshark (more information regarding ESP decryption of IPSec in Wireshark is located here).

Alternatively you can place instrumentation using printk or printk_times in the source code to xfrm or esp_input.

Regarding the second question, there are several pictures which explain how it works at a high level including the ones explaining the Solaris Implementation as part of Oracle's System Administration Guide: IP Services and Linux's Foundation Network Flow through the kernel diagram.

Also see the following reference. Basically either manual configuration using setkey or automatic configuration using an IKE daemon in userspace passes the information to the XFRM which then transforms the packet before it reaches netfilter prerouting.

See here for more information on the history of KLIPS and KAME.