FreeBSD Mail Archives

Date:      Thu, 03 May 2001 10:12:27 -0700
From:      Lars Eggert <larse@ISI.EDU>
To:        "Louis A. Mamakos" <louie@TransSys.COM>
Cc:        Erik Salander <erik@whistle.com>, freebsd-net@FreeBSD.ORG
Subject:   Re: gifs and tcpdump
Message-ID:  <3AF1917B.2AC0E900@isi.edu>
References:  <3AF0B57B.4D789393@whistle.com> <200105031311.f43DB9711069@whizzo.transsys.com>

This is a cryptographically signed message in MIME format.

--------------msEC7F884CEF164907A5775908
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

"Louis A. Mamakos" wrote:
> > Should I be able to "tcpdump -i gif0"?  tcpdump indicates it's listening
> > on gif0 but I never capture anything.

Yes, you should. If you send traffic over it, but from what Louis wrote,
maybe you don't.

> Traffic going over an ESP tunnel never actual transits the tunnel
> interface.  In fact, if you arrange to have the right routes installed,
> you don't even need the gif interface at all.  From some recent experiments
> I've done, the gif interface seems to be used only for:
> 
>         - side effect of installed host routes which are needed when
>         matching the IPSEC policy specification
> 
>         - carrying traffic that isn't matching the IPSEC policy specification
>         (if there is any at all)

Gif interfaces are for IPIP tunnels. Using them in parallel with IPsec
tunnels to trick routing into sending traffic over an SA is a bad hack
IMHO. Also, depending on the order you set up tunnels and SAs, you may
see strange effects.

> I found this very counter intuitive; however, if you do a tcpdump on the
> physical interface carrying the tunnel traffic, you'll see that the IPSEC
> traffic isn't in an ipip encapsulation at all.

Exactly, it is "IPsec tunnel mode" (type 50 or 51 packet with a type 4
packet inside), which is different from IPIP (type 4 packet with a type
4 packet inside). 
 
> Yes, I found this very counter-intuititve.  From what I can tell, there's
> no easy way to do a tcpdump and see the unencrypted traffic as it exits
> the IPSEC tunnel.  What I may try next is to specify a transport-mode
> IPSEC policy that covers the gif interface tunnel endpoints, but I don't
> know if that wll work or not.

It works, and makes routing much cleaner, since now the tunnel devices
represented in the routing table are the ones that actually carry the
traffic. There's an ID that has more information on this:
ftp://ftp.isi.edu/internet-drafts/draft-touch-ipsec-vpn-01.txt

Lars
-- 
Lars Eggert <larse@isi.edu>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California
--------------msEC7F884CEF164907A5775908
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIIIIwYJKoZIhvcNAQcCoIIIFDCCCBACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
BfQwggLYMIICQaADAgECAgMDIwUwDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw
EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU
aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h
bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDgyNDIwMzAwOFoXDTAxMDgyNDIwMzAw
OFowVDEPMA0GA1UEBBMGRWdnZXJ0MQ0wCwYDVQQqEwRMYXJzMRQwEgYDVQQDEwtMYXJzIEVn
Z2VydDEcMBoGCSqGSIb3DQEJARYNbGFyc2VAaXNpLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAz1yfcNs53rvhuw8gSDvr2+/snP8GduYY7x7WkJdyvcwb4oipNpWYIkMGP214
Zv1KrgvntGaG+jeugAGQt0n64VusgcIzQ6QDRtnMgdQDTAkVSQ2eLRSQka+nAPx6SFKJg79W
EEHmgKQBMtZdMBYtYv/mTOcpm7jTJVg+7W6n04UCAwEAAaN3MHUwKgYFK2UBBAEEITAfAgEA
MBowGAIBBAQTTDJ1TXlmZkJOVWJOSkpjZFoyczAYBgNVHREEETAPgQ1sYXJzZUBpc2kuZWR1
MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUiKvxYINmVfTkWMdGHcBhvSPXw4wwDQYJKoZI
hvcNAQEEBQADgYEAi65fM/jSCaPhRoA9JW5X2FktSFhE5zkIpFVPpv33GWPPNrncsK13HfZm
s0B1rNy2vU7UhFI/vsJQgBJyffkLFgMCjp3uRZvBBjGD1q4yjDO5yfMMjquqBpZtRp5op3lT
d01faA58ZCB5sxCb0ORSxvXR8tc9DJO0JIpQILa6vIAwggMUMIICfaADAgECAgELMA0GCSqG
SIb3DQEBBAUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYD
VQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9D
ZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29u
YWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0
ZS5jb20wHhcNOTkwOTE2MTQwMTQwWhcNMDEwOTE1MTQwMTQwWjCBlDELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoT
BlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNv
bmFsIEZyZWVtYWlsIFJTQSAxOTk5LjkuMTYwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB
ALNpWpfU0BYLerXFXekhnCNyzRJMS/d+z8f7ynIk9EJSrFeV43theheE5/1yOTiUtOrtZaeS
Bl694GX2GbuUeXZMPrlocHWEHPQRdAC8BSxPCQMXMcz0QdRyxqZd4ohEsIsuxE3x8NaFPmzz
lZR4kX5A6ZzRjRVXjsJz5TDeRvVPAgMBAAGjNzA1MBIGA1UdEwEB/wQIMAYBAf8CAQAwHwYD
VR0jBBgwFoAUcknCczTGVfQLdnKBfnf0h+fGsg4wDQYJKoZIhvcNAQEEBQADgYEAa8ZZ6TH6
6bbssQPY33Jy/pFgSOrGVd178GeOxmFw523CpTfYnbcXKFYFi91cdW/GkZDGbGZxE9AQfGuR
b4bgITYtwdfqsgmtzy1txoNSm/u7/pyHnfy36XSS5FyXrvx+rMoNb3J6Zyxrc/WG+Z31AG70
HQfOnZ6CYynvkwl+Vd4xggH3MIIB8wIBATCBnDCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEd
MBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVt
YWlsIFJTQSAxOTk5LjkuMTYCAwMjBTAJBgUrDgMCGgUAoIGxMBgGCSqGSIb3DQEJAzELBgkq
hkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTAxMDUwMzE3MTIyN1owIwYJKoZIhvcNAQkEMRYE
FDTzNQvX3SfIighWnKsFQGF5eG7IMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYI
KoZIhvcNAwICAgCAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgFAMA0GCCqGSIb3DQMCAgEoMA0G
CSqGSIb3DQEBAQUABIGAiagMOttagoARHNUzdIl38eCFxnnw2Ykk9EhNInJnfDPKG6CmfReC
UwlYcxDChnPSIW+YC8gBjhBhCV1LPQcnQEPItlpWH5vfKzRzhRTlYDOlv4jAGzYzkIrsTSYG
diKzUe4f10enDSMRJW6Ub7D7RWuc0yYqgohUKNWyGj0kRuw=
--------------msEC7F884CEF164907A5775908--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AF1917B.2AC0E900>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation