Hi,
I am not really sure about what you said but here is my answer ;-).
First of all I have added some field in the ESP Preferences to describe
the SAs, the Keys, the Encryption algorithms and the Authentication
algorithms (perhaps for future use for checking authentication... Whatever
if you use the NULL authentication the alignment is different so you have
to precise it).
I understood that you are talking about decryption of ESP in tunnel mode.
Here is one of the more complexe tology I tried (if you have encapsulated
ESP in encapsulated ESP in ... it should work the same).
It is in v4 and I joigned the dump file with the preference file you have
to put in ~/.ethereal
N1 R1 N2
[192.168.0.3] -------[192.168.0.2][10.0.0.1]--------[10.0.0.2]
default route for 192.168.0.3 is 192.168.0.2
There is not default route on 10.0.0.2.
it means that I will received destination unreachable ... Great ;-)
In this case I have the following policies:
########## For 192.168.0.2 (R1)
spdadd 192.168.0.3 10.0.0.2 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/use;
add 10.0.0.1 10.0.0.2 esp 10
-m tunnel
-E aes-cbc "aescbcencryption"
-A hmac-sha1 "hmacsha1authenticati";
########## For 192.168.0.3 (N1)
spdadd 192.168.0.3 10.0.0.2 any -P out ipsec esp/transport//require;
add 192.168.0.3 10.0.0.2 esp 15
-E des-cbc "descbte"
-A hmac-sha1 "hmacsha1authenticati";
It means that packets coming from N1 to 10.0.0.3 will be encrypted with
des-cbc and tunneled with ESP encryption aes-cbc to N2.
If I have a look into R1, I have these two SAs to decrypt the entire packet.
I will have something like
[IP1][ESP1][ENCRYPTION1]
with [ENCRYPTION1]=[IP2][ESP2][ENCRYPTION2]
and [ENCRYPTION2]=ICMP
IP1 is ip layer from R1 to N2
ENCRYPTION2 is aes-cbc
IP2 is ip layer from N1 to 10.0.0.3
ENCRYPTION2 is des-cbc
thus you have enough information to describe the whole packet.
if you use the preference File in attachment it will do this.
You only have two SAs :
SA #1: IPV4|10.0.0.1|10.0.0.2|*
Encrypt 1 : AES-CBC
Auth 1 : HMAC-SHA1
Encrypt Key 1 : aescbcencryption
SA #2: IPV4|192.168.0.3|10.0.0.2|*
Encrypt 2 : DES-CBC
Auth 2 : HMAC-SHA1
Encrypt Key 2 : descbcte
And as a consequence the Destination Unreachable will also be decrypted,
because SAs are the same.
I hope it was the question,
Best regards,
---
Frederic
> On Wed, Feb 22, 2006 at 05:03:38PM +0100, Frederic Roudaut wrote:
>>
>> Because I received no comment about my dissector, I ask again ;-).
>> Is there any need for my update ? Does anyone plan to use it ?
>
> I quickly browsed through the readme and was not sure where the
> dissector would get the PSK or the private key for the SA from. It
> would be very useful to be able to look 'inside' an IPsec tunnel
> so if there is a mechanism to select a PSK / private key and then
> be able to decrypt the IPSEC traffic I do think I will use it
> some times.
>
> I do believe it's necessary to capture from the setup of the
> SA's to be able to do so, which might limit it's usefullness
> in the real world (unless you're able to restart the tunnel
> of course).
>
> Still, I personally would definately like this functionality
> to be available in the official releases :)
>
>
> Cheers, Sake
>
> _______________________________________________
> Ethereal-dev mailing list
> Ethereal-dev@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-dev
>
Attachment:
capture_v4_ipsec2.pcap
Description: Binary data
Attachment:
preferences
Description: Binary data