IPsec tunneling problem: tcpdump and iptables see unencrypted traffic

From: Jurjen Oskam (joskam_at_quadpro.stupendous.org)
Date: 05/23/04 

Date: 23 May 2004 14:39:10 GMT

Hi there,

I'm using linux 2.6.5 and ipsec-tools 0.3.2 on Slackware 9.1. I'm trying
to use IPsec between my (wireless) laptop and my home server. Basically,
it seems to work but tcpdump and iptables see incoming traffic two times:
first the encrypted ESP traffic, and the on the same interface the
same traffic but now unencrypted. This is a problem, since now I can't
filter all traffic except ESP on the interfaces (ARP not counted).

The network layout is as follows:

calvin:
eth0: 192.168.1.1/24, internal wired LAN (switched)
eth1: 10.0.0.150/24, crosscable to an ADSL "modem" (10.0.0.138)
eth2: 192.168.2.1/24, crosscable to an access point (192.168.2.2)
ppp0: 213.84.70.4/32, result of a PPTP connection to 10.0.0.138

tracer:
ath0: 192.168.2.100/24, wireless NIC using madwifi driver

What I saw when issuing "ping -c 1 192.168.1.10" on tracer:
===========================================================
(on calvin:)
root@calvin:~# tcpdump -n -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 96 bytes
14:48:56.577595 IP 192.168.2.100 > 192.168.2.1: ESP(spi=0x00000301,seq=0x2b5d)
14:48:56.577595 IP 192.168.2.100 > 192.168.1.10: icmp 64: echo request seq 1
14:48:56.578698 IP 192.168.2.1 > 192.168.2.100: ESP(spi=0x00000201,seq=0x2b21)

3 packets captured
3 packets received by filter
0 packets dropped by kernel

(on tracer:)
root@tracer:~# tcpdump -n -i ath0
tcpdump: listening on ath0
14:48:46.854509 192.168.2.100 > 192.168.2.1: ESP(spi=0x00000301,seq=0x2b5d) (DF)
14:48:46.856588 192.168.2.1 > 192.168.2.100: ESP(spi=0x00000201,seq=0x2b21) (DF)
14:48:46.856588 192.168.1.10 > 192.168.2.100: icmp: echo reply (DF)

3 packets received by filter
0 packets dropped by kernel

What I expected to see:
=======================
I expected only ESP traffic in the tcpdump output.

How I configured IPsec:
=======================
(on calvin:)
flush;
spdflush;

add 192.168.2.1 192.168.2.100 esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;
add 192.168.2.100 192.168.2.1 esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

spdadd 0.0.0.0/0 192.168.2.100/32 any -P out ipsec
           esp/tunnel/192.168.2.1-192.168.2.100/require;
spdadd 192.168.2.100/32 0.0.0.0/0 any -P in ipsec
           esp/tunnel/192.168.2.100-192.168.2.1/require;

(on tracer:)
flush;
spdflush;

add 192.168.2.1 192.168.2.100 esp 0x201 -m tunnel -E 3des-cbc 0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5 0xc0291ff014dccdd03874d9e8e4cdf3e6;

add 192.168.2.100 192.168.2.1 esp 0x301 -m tunnel -E 3des-cbc 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5 0x96358c90783bbfa3d7b196ceabe0536b;

spdadd 0.0.0.0/0 192.168.2.100/32 any -P in ipsec
           esp/tunnel/192.168.2.1-192.168.2.100/require;

spdadd 192.168.2.100/32 0.0.0.0/0 any -P out ipsec
           esp/tunnel/192.168.2.100-192.168.2.1/require;

(This is the exact configuration used. Bonus points if you recognize the keys.
:-) )

What I'm trying to accomplish:
==============================
Since I don't trust WEP I want to use IPsec on my wireless network. To do
that, I have connected the access point to a dedicated interface on calvin
where I can firewall it, and only let through IPsec-protected traffic.
On calvin, the traffic may be decrypted and sent on its way.

Questions:
==========
1. Is the observed behaviour to be expected?
2. Am I doing the right thing here?
3. If not, what should I do to use IPsec on the wireless segment?

Hopefully someone can help me here!

Thanks, 

-- 
Jurjen Oskam
"Avoid putting a paging file on a fault-tolerant drive, such as a mirrored
volume or a RAID-5 volume. Paging files do not need fault-tolerance."-MS Q308417

Relevant Pages

  • IPsec tunneling problem: tcpdump and iptables see unencrypted traffic
    ... to use IPsec between my (wireless) laptop and my home server. ... it seems to work but tcpdump and iptables see incoming traffic two times: ... packets received by filter ... How I configured IPsec: ...
    (comp.os.linux.networking)
  • weird results while ipsec + ipfv_nat (nat before vpn)
    ... we need to see some http/s resources behind the Cisco PIX IPSEC ... trying to ping IPSEC PEER from LAN ... c.c.c.1 reply packets are coming in and are decrypted but replies doesn't reach ... tcpdump: verbose output suppressed, use -v or -vv for full protocol decode ...
    (freebsd-net)
  • RE: gif(4) and bpf(4)
    ... If you are using IPSec, maybe your packets are encrypted before they go to gif. ... > whilst running tcpdump to be sure. ... To unsubscribe, ...
    (freebsd-net)
  • Re: ntpd fails to synchronize on FreeBSD 6.3-STABLE
    ... 12 packets received by filter ... Then let the tcpdump go for about 15 minutes. ... Firewall on my router/gateway is disabled, ... # shutdown -r now ...
    (freebsd-stable)
  • Re: flooding an embedded device with isic and tcpreplay causing different results
    ... You can try use -nn option at tcpdump too, ... now I wondering why the tcpreplay attack don't f*** up the SOHO. ... The tcpdump isn't complete because of "dropped by kernel" packets - ... listening on eth0, link-type EN10MB, capture size ...
    (Pen-Test)