--- Begin Message ---

I’m trying to debug a Strongswan config and wanted to verify that my GRE 
traffic is being encapsulated properly by IPSec.  “Tcpdump” to the rescue.  
Well, almost.

So I was trying to use “ip xfrm state” to get the SPI and sessions keys, and 
then run "tcpdump … -E spi@addr aes-cbc:key” but tcpdump doesn’t support 
aes-cbc apparently (despite traffic on the list from 2004 threatening to add 
support in 3.8.4).

So I tried to downgrade the encryption suite to “esp=null” and to use “-E 
spi@addr none:” but I get the message:

tcpdump: can't parse filter expression: syntax error

Which isn’t particular specific.

I’m using CentOS 8 Stream, if that helps.  Trying to tell if my tcpdump doesn’t 
support -E in general, or if I’m just using it wrong.

If AES support isn’t baked in, I might have time to take a stab at patches in 
the coming weeks, but for now I need to get GRE+IPSec tunneling delivered to my 

Maybe even adding support for a mode where tcpdump runs “ip xfrm state” in a 
socketpair or pipe and grovels out the SPI’s, addresses, cipher names, and 
keys…  I’m assuming that having a table to tuples for connections that you’re 
not interested in doesn’t add any actual significant overhead other than a few 
dozen bytes of storage for the tuple itself.

Can someone help me get jumpstarted here?



--- End Message ---
tcpdump-workers mailing list

Reply via email to