Re: [tcpdump-workers] Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc)

2020-08-06 Thread Denis Ovsienko via tcpdump-workers
--- Begin Message ---
On Thu, 6 Aug 2020 11:19:21 -0600
Philip Prindeville via tcpdump-workers
 wrote:

> Hi.
> 
> I’m trying to debug a Strongswan config and wanted to verify that my
> GRE traffic is being encapsulated properly by IPSec.  “Tcpdump” to
> the rescue.  Well, almost.
> 
> So I was trying to use “ip xfrm state” to get the SPI and sessions
> keys, and then run "tcpdump … -E spi@addr aes-cbc:key” but tcpdump
> doesn’t support aes-cbc apparently (despite traffic on the list from
> 2004 threatening to add support in 3.8.4).

Hello Philip.

I had similar experience in 2019. If that's the tcpdump that comes with
CentOS 8, that would likely be version 4.9.x. Please retest using
tcpdump built from the git master branch, Guy had cleaned the ESP
decoder up in early 2020. That among other things fixed the cipher
name parsing, which may be the cause of the error. AFAIK the cipher
name finally can be anything that OpenSSL recognises as such.

-- 
Denis Ovsienko
--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers


[tcpdump-workers] Using tcpdump to decrypt IPSec ESP sessions (none and aes-cbc)

2020-08-06 Thread Philip Prindeville via tcpdump-workers
--- Begin Message ---
Hi.

I’m trying to debug a Strongswan config and wanted to verify that my GRE 
traffic is being encapsulated properly by IPSec.  “Tcpdump” to the rescue.  
Well, almost.

So I was trying to use “ip xfrm state” to get the SPI and sessions keys, and 
then run "tcpdump … -E spi@addr aes-cbc:key” but tcpdump doesn’t support 
aes-cbc apparently (despite traffic on the list from 2004 threatening to add 
support in 3.8.4).

So I tried to downgrade the encryption suite to “esp=null” and to use “-E 
spi@addr none:” but I get the message:

tcpdump: can't parse filter expression: syntax error

Which isn’t particular specific.

I’m using CentOS 8 Stream, if that helps.  Trying to tell if my tcpdump doesn’t 
support -E in general, or if I’m just using it wrong.

If AES support isn’t baked in, I might have time to take a stab at patches in 
the coming weeks, but for now I need to get GRE+IPSec tunneling delivered to my 
boss.

Maybe even adding support for a mode where tcpdump runs “ip xfrm state” in a 
socketpair or pipe and grovels out the SPI’s, addresses, cipher names, and 
keys…  I’m assuming that having a table to tuples for connections that you’re 
not interested in doesn’t add any actual significant overhead other than a few 
dozen bytes of storage for the tuple itself.

Can someone help me get jumpstarted here?

Thanks,

-Philip

--- End Message ---
___
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers