This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Outgoing packets of IPsec VPN tunnel establishment not visible

0

Hi Guys,

I am trying to capture a VPN tunnel establishment between 2 firewalls. While I am able to get the trace on TCPDUMP, however when I write it to a pcap file, the outgoing packets are not present. What could I be doing wrong or is there something else I need to do while I do the capture?

01:05:52.154481 In IP 192.168.3.1.500 > 192.168.4.2.500: isakmp: phase 1 I ident: [|sa] 01:05:52.186367 Out IP 192.168.4.2.500 > 192.168.3.1.500: isakmp: phase 1 R ident: [|sa]

"In" packets are not visible. Any help would be appreciated. Thanks Rahul

asked 08 Nov '13, 11:51

Rahultn's gravatar image

Rahultn
1111
accept rate: 0%

  • what is your (exact) tcpdump command for writing the pcap file?
  • where do you capture? On one of the firewalls, or somewhere in between?
(08 Nov '13, 15:37) Kurt Knochner ♦

Thanks for response Kurt. FW1 ------ FW2 On the FW2 receiving interface I did the capture

tcpdump -ni <int> -w File.pcap

On this dump i am able to see bidirectional traffic, but when I write it to a pcap file and open it only
192.168.4.2.500 > 192.168.3.1.500: isakmp: phase 1 R ident: [|sa] is available.

(Correction to the q: Incoming packets are visible)

(08 Nov '13, 15:45) Rahultn

Thanks for response Kurt. FW1 ------ FW2 On the FW2 receiving interface I did the capture

What type of firewall is this?

To repeat it:

  • if you run tcpdump on the console (tcpdump -ni <int>) you do see IKE traffic in both directions
  • if you let tcpdump write a file (tcpdump -ni <int> -w file.pcap) you don't see IKE in both directions?

If so (and you used no other options for tcpdump as the one you posted), how did you check the content of the pcap file?

BTW: Are there tagged VLAN ports involved on firewall FW2 (the interface you sniffed)?

(08 Nov '13, 16:01) Kurt Knochner ♦