Issue #1114
When using tcpdump/wireshark to sniff traffic secured by IPsec, incoming packets show up twice: encrypted i.e. as ESP packets and unencrypted as plaintext packets.
Description
I have established an ipsec connection between 2 router connected back-to-back, the ipaddress
the two connected interface of the router is 11.11.11.1 and 11.11.11.2.
But when I am doing a ping from router-1 to router-2 , then the request packet is captured twice
in wireshark one as ESP packet and another as unencrypted packet.
So my question is this correct behavior, what I expect is that all the packets should be of only
ESP type and unencrypted ICMP packet should not come.
Please inform me if I am correct or not.
The packet capture logs:
2015-08-31 19:48:59.650956 IP 11.11.11.1 > 224.0.0.5: OSPFv2, Hello, length 44
2015-08-31 19:49:01.332350 IP 11.11.11.1 > 11.11.11.2: ESP, length 132
2015-08-31 19:49:01.332350 IP 11.11.11.1 > 11.11.11.2: ICMP echo request, id 29868, seq 1, length 64 <<<=====
2015-08-31 19:49:01.332468 IP 11.11.11.2 > 11.11.11.1: ESP, length 132
2015-08-31 19:49:02.335026 IP 11.11.11.1 > 11.11.11.2: ESP, length 132
2015-08-31 19:49:02.335026 IP 11.11.11.1 > 11.11.11.2: ICMP echo request, id 29868, seq 2, length 64 <<<====
2015-08-31 19:49:02.335155 IP 11.11.11.2 > 11.11.11.1: ESP, length 132
2015-08-31 19:49:03.339263 IP 11.11.11.1 > 11.11.11.2: ESP, length 132
2015-08-31 19:49:03.339263 IP 11.11.11.1 > 11.11.11.2: ICMP echo request, id 29868, seq 3, length 64 <<<=====
2015-08-31 19:49:03.339425 IP 11.11.11.2 > 11.11.11.1: ESP, length 132
2015-08-31 19:49:04.342511 IP 11.11.11.1 > 11.11.11.2: ESP, length 132
2015-08-31 19:49:04.342511 IP 11.11.11.1 > 11.11.11.2: ICMP echo request, id 29868, seq 4, length 64
2015-08-31 19:49:04.342700 IP 11.11.11.2 > 11.11.11.1: ESP, length 132
2015-08-31 19:49:05.346377 IP 11.11.11.1 > 11.11.11.2: ESP, length 132
2015-08-31 19:49:05.346377 IP 11.11.11.1 > 11.11.11.2: ICMP echo request, id 29868, seq 5, length 64
2015-08-31 19:49:05.346633 IP 11.11.11.2 > 11.11.11.1: ESP, length 132
2015-08-31 19:49:06.349207 ARP, Request who-has 11.11.11.1 tell 11.11.11.2, length 28
2015-08-31 19:49:06.349559 ARP, Reply 11.11.11.1 is-at 08:00:27:7b:e8:7b, length 46
History
#1 Updated by Noel Kuntze almost 10 years ago
Hello Ankur,
What you are seeing is the correct and expected behaviour on Linux.
Kind regards,
Noel Kuntze
#2 Updated by ankur bansal almost 10 years ago
Hi Noel,
Thanks for the response. But my doubt is if the intruder is able to see the packets
then what is the use of IPsec.
Can you please explain a bit ?Thanks & Regards,
Ankur Bansal
#3 Updated by Tobias Brunner almost 10 years ago
There is a FAQ entry regarding this.
But my doubt is if the intruder is able to see the packets
then what is the use of IPsec.
What do you mean? Obviously the packets have to get decrypted on the IPsec endpoint so they can be delivered to the target hosts/applications (for which the IPsec tunneling happens transparently). And to capture traffic an intruder has to have extended privileges, and is, therefore, probably also able to just get the IPsec keys from the kernel e.g. via ip xfrm state to decrypt captured traffic in both directions.
#4 Updated by Tobias Brunner almost 10 years ago
- Tracker changed from Bug to Issue
- Category changed from libstrongswan to kernel
- Status changed from New to Feedback
- Assignee deleted (
ankur bansal) - Priority changed from Urgent to Normal
#5 Updated by ankur bansal almost 10 years ago
Hello,
No that wasn't my question.
As shown in the above logs,There are 2 ICMP request packet for each response so my questions are
1. why the unencrypted packets are coming at all since I have applied IPsec so I expect that all the packets should be encrypted but there are some unencrypted packets also coming.So anyone can see the content of the unencrypted packets which I don't want.
2. On router-1 router I see two ICMP request packet and on another 2 ICMP response packet(router connected back-to-back), why there is an extra packet coming which is unencrypted.
Can you please explain a bit ?
And also Is the extra packet a proper behavior ?
Thanks & Regards,
Ankur Bansal
#6 Updated by Tobias Brunner almost 10 years ago
1. why the unencrypted packets are coming at all since I have applied IPsec so I expect that all the packets should be encrypted but there are some unencrypted packets also coming.So anyone can see the content of the unencrypted packets which I don't want.
The unencrypted packets are not received as such on the interface, they just show up in tcpdump/Wireshark after the ESP packet got decrypted. That's just a side-effect of how the Linux network stack works and how libpcap captures traffic. That you don't see the unencrypted responses before they get encrypted is another peculiarity of how the stack/capturing works. Nobody capturing traffic outside the IPsec endpoints can see the unencrypted packets.
2. On router-1 router I see two ICMP request packet and on another 2 ICMP response packet(router connected back-to-back), why there is an extra packet coming which is unencrypted.
Could you show us that capture? Is router-1 also running Linux?
#7 Updated by Tobias Brunner almost 10 years ago
- Status changed from Feedback to Closed
- Resolution set to No feedback