...
Code Block |
---|
|
# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22
ip addr add 172.20.0.1/22 dev eth0
# start strongswan
systemctl start strongswan
# start all ipsec tunnels/associations
strongswan up cmts-cm
strongswan up cmts-cpepriv
strongswan up cmts-mta
# get routes - note that they originate from 172.20.0.1, thus going through the tunnel
ip r get 10.0.31.254
10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.64.3.254
100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
ip r get 100.96.3.254
100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1
# ping all bundle interface ip addresses
ping -c1 10.0.31.254
PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data.
64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms
ping -c1 100.64.3.254
PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data.
64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms
ping -c1 100.96.3.254
PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data.
64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms
# teardown all ipsec tunnels/associations
strongswan down cmts-mta
strongswan down cmts-cpepriv
strongswan down cmts-cm
# stop strongswan
systemctl stop strongswan
|
Intercept encrypted packets
Code Block |
---|
|
iptables -t raw -I PREROUTING -p esp -j NFLOG --nflog-group 5
iptables -t raw -I PREROUTING -p ah -j NFLOG --nflog-group 5
iptables -t raw -I PREROUTING -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
iptables -t raw -I OUTPUT -p esp -j NFLOG --nflog-group 5
iptables -t raw -I OUTPUT -p ah -j NFLOG --nflog-group 5
iptables -t raw -I OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
iptables -t filter -I INPUT -m addrtype --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t filter -I FORWARD -m addrtype ! --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t filter -I OUTPUT -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
tcpdump -vU -n -i nflog:5 -w /tmp/dump.pcap |
See https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump