How do I verify that IPSec is actually functioning

S.C.Best sbest at ECHOGENT.COM
Tue Jul 25 12:49:55 EDT 2000 

Chris:

>This brings up a very good point about encryption: how
>do you know it's really being done?

	Ah, weird action at a distance. :) This thread
recently surfaced on the FreeSWAN IPSec mailing list.
An IPSec implementer was "asked by his boss" to prove to
him that FreeSWAN was actually encrypting the traffic.
After a dozen or so messages discussing all sides of this,
the original author came back to inform us that he simply
showed the discussion thread to his boss, and that turned
out to be proof enough. :)
	But I digress...

>Is it possible to use some type of testing tool to
>encrypt a set of known values, like "The quick brown
>fox jumped over the lazy dog" using a pair of manual
>IPSec keys, and then pass the same string and IPSec
>manual keys in your IPSec devices and packet sniff for
>the encrypted data.  Shouldn't the encrypted strings
>of the testing system match the IPSec devices.

   	Yes. This is similar in nature to something I
naively suggested on the FreeSWAN list. Caveat emptor:
it's hardly a rigorous proof that the IPSec tunnel is
*always* encrypting the traffic. I cannot prove that it's
never sending cleartext (though I'm not often expected to
prove negatives, except during job interview situations).
      My suggestion was to force a known-hex pattern into the
IPSec tunnel entrance (ie, "ping -l feedfacedeadbeef <ip>")
and then use tcpdump to capture the ciphertext of that.
Presuming that you have root control over both ends of
the tunnel, it'd be trivial to lift both the encryption method
*and* the session key associated with that ciphertext. Take
those four pieces to an "off the shelf" encryption package,
like OpenSSL, and after noodling with the packet delineation
challenges, you *should* be able to extract the deadbeef.

	I think it would be quite valuable to have a
"sanity checker" written by someone not associated with
the coding team. I hope this suggestion helps in that regard,

cheers,
Scott

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list