Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
RE: [suse-security] ipsec traffic
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Fri, 13 Sep 2002 07:45:38 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D101B19EC2@xxxxxxxxxxxxxxxxx>
> > > Nonetheless, tcpdump registered lots of traffic during the
> > > whole night.
> >
> > So what does it say and how does that compare to e.g. the
> Pluto logs? Have
> > you tried using tcpdump on the FreeS/WAN machine itself?
>
> Pluto says this:
>
> Sep 12 11:01:52 uhura kernel: klips_debug:gettdb: linked
> entry in tdb table
> for hash=175 of SA:esp0x41b4818@<gateA> requested.
> Sep 12 11:01:52 uhura kernel: klips_debug:gettdb: linked
> entry in tdb table
> for hash=230 of SA:tun0x1002@<gateB> requested.

That's what KLIPS says, not Pluto. Set plutodebug to 'all' and see what
Pluto says.

> tcpdump says this:
>
> 11:03:52.085197 62.180.107.34 > <gateA>: ESP(spi=0x041b4818,seq=0x7dc)
> 11:03:52.086084 62.180.107.146 > <gateB>:
> ESP(spi=0x7511fb3c,seq=0x936)
>
> Note, <gateA> is the IP-address of the one ipsec-gateway,
> <gateB> the one
> from the other ipsec-gateway.

What are the machines 62.180.107.34 and 62.180.107.146, not <gateB> and
<gateA> respectively, by chance? Where did you sniff this, on which machine?
Have you tried using tcpdump on <gateA> and <gateB>, perhaps specifying the
ipsec0 interface (assuming that's the one you use)? If not, do so.

Cya,
Tobias

< Previous Next >
Follow Ups