/
Test and teardown of IPsec tunnels
Test and teardown of IPsec tunnels
- Torsten Schmidt
- Nino Ryschawy
Owned by Torsten Schmidt
Last updated: Apr 06, 2021 by Nino Ryschawy
# add transfer network to eth0 (as secondary IP address), since strongswan expects packets from/to 172.20.0.0/22 ip addr add 172.20.0.1/22 dev eth0 # start strongswan systemctl start strongswan # start all ipsec tunnels/associations strongswan up cmts-cm strongswan up cmts-cpepriv strongswan up cmts-mta # get routes - note that they originate from 172.20.0.1, thus going through the tunnel ip r get 10.0.31.254 10.0.31.254 via <cmts-ip> dev eth0 src 172.20.0.1 ip r get 100.64.3.254 100.64.3.254 via <cmts-ip> dev eth0 src 172.20.0.1 ip r get 100.96.3.254 100.96.3.254 via <cmts-ip> dev eth0 src 172.20.0.1 # ping all bundle interface ip addresses ping -c1 10.0.31.254 PING 10.0.31.254 (10.0.31.254) 56(84) bytes of data. 64 bytes from 10.0.31.254: icmp_seq=1 ttl=255 time=0.475 ms ping -c1 100.64.3.254 PING 100.64.3.254 (100.64.3.254) 56(84) bytes of data. 64 bytes from 100.64.3.254: icmp_seq=1 ttl=255 time=0.696 ms ping -c1 100.96.3.254 PING 100.96.3.254 (100.96.3.254) 56(84) bytes of data. 64 bytes from 100.96.3.254: icmp_seq=1 ttl=255 time=0.495 ms # teardown all ipsec tunnels/associations strongswan down cmts-mta strongswan down cmts-cpepriv strongswan down cmts-cm # stop strongswan systemctl stop strongswan
Intercept encrypted packets
iptables -t raw -I PREROUTING -p esp -j NFLOG --nflog-group 5 iptables -t raw -I PREROUTING -p ah -j NFLOG --nflog-group 5 iptables -t raw -I PREROUTING -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 iptables -t raw -I OUTPUT -p esp -j NFLOG --nflog-group 5 iptables -t raw -I OUTPUT -p ah -j NFLOG --nflog-group 5 iptables -t raw -I OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5 iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5 iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5 iptables -t filter -I INPUT -m addrtype --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5 iptables -t filter -I FORWARD -m addrtype ! --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5 iptables -t filter -I OUTPUT -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5 tcpdump -vU -n -i nflog:5 -w /tmp/dump.pcap
See https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump
, multiple selections available,
Related content
Cloud Only: Add the CMTS-Tunnel
Cloud Only: Add the CMTS-Tunnel
More like this
Setting up the network for the NMS Prime VM
Setting up the network for the NMS Prime VM
More like this
TFTP
More like this
Setting up the network on the physical Host
Setting up the network on the physical Host
More like this
Configure the CMTS
Configure the CMTS
More like this
Checkups
More like this