Re: gifs and tcpdump

Thu, 03 May 2001 09:52:28 -0700 

"Louis A. Mamakos" wrote:
> > Should I be able to "tcpdump -i gif0"?  tcpdump indicates it's listening
> > on gif0 but I never capture anything.

Yes, you should. If you send traffic over it, but from what Louis wrote,
maybe you don't.

> Traffic going over an ESP tunnel never actual transits the tunnel
> interface.  In fact, if you arrange to have the right routes installed,
> you don't even need the gif interface at all.  From some recent experiments
> I've done, the gif interface seems to be used only for:
> 
>         - side effect of installed host routes which are needed when
>         matching the IPSEC policy specification
> 
>         - carrying traffic that isn't matching the IPSEC policy specification
>         (if there is any at all)

Gif interfaces are for IPIP tunnels. Using them in parallel with IPsec
tunnels to trick routing into sending traffic over an SA is a bad hack
IMHO. Also, depending on the order you set up tunnels and SAs, you may
see strange effects.

> I found this very counter intuitive; however, if you do a tcpdump on the
> physical interface carrying the tunnel traffic, you'll see that the IPSEC
> traffic isn't in an ipip encapsulation at all.

Exactly, it is "IPsec tunnel mode" (type 50 or 51 packet with a type 4
packet inside), which is different from IPIP (type 4 packet with a type
4 packet inside). 
 
> Yes, I found this very counter-intuititve.  From what I can tell, there's
> no easy way to do a tcpdump and see the unencrypted traffic as it exits
> the IPSEC tunnel.  What I may try next is to specify a transport-mode
> IPSEC policy that covers the gif interface tunnel endpoints, but I don't
> know if that wll work or not.

It works, and makes routing much cleaner, since now the tunnel devices
represented in the routing table are the ones that actually carry the
traffic. There's an ID that has more information on this:
ftp://ftp.isi.edu/internet-drafts/draft-touch-ipsec-vpn-01.txt

Lars
-- 
Lars Eggert <[EMAIL PROTECTED]>               Information Sciences Institute
http://www.isi.edu/larse/              University of Southern California

S/MIME Cryptographic Signature

Reply via email to