Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 3934 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to monitor traffic through specific IPsec VPN tunnel ?

RanX

Dear community,

at present I need to check if some traffic (ordinary ping) is routed to a tunnel or not.
On the previous UTM this was fairly easy by running "espdump" for this tunnel on the console.
When ping was routed OK and the rules allowed it, I would see the packet showing up on the console.

As far as I understood, the XG doesn't have the espdump command available.

So which options do I have, to verify, that packets are routed through a specific IPsec tunnel ?
Any advice is appreciated.

Best Regards
RanX



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    The packet capture on the firewall from Diagnostics > Packet Capture would help you determine if the traffic is routed to an IPsec tunnel or not. 

    You would see ipsec0 as an outbound interface for the traffic routed through the tunnel. 

    Thanks,

  • 0 in reply to FormerMember

    Thanks for your reply !
    Well this is kind of a solution.
    But you'll surely agree, it's an unfocused one.
    If the traffic goes to "ipsec0", I still do not know if it passes the tunnel it is expected to use.
    So I would definetly prefer something a bit more precise.

    Best regards
    RanX

  • FormerMember
    +1 FormerMember in reply to RanX

    Hi ,

    In that case, you can grep the tcpdump with inbound and outbound SPIs for specific tunnels: 

    Run the following command from Advanced Shell: 

    • ipsec statusall

    Find the SPIs for the specific tunnel as shown in the following sample:

    • To_Azure_XG-1{27}: INSTALLED, TUNNEL, reqid 5, ESP in UDP SPIs: cabd3fef_i c71719d2_o

    Now run tcpdump on WAN interface with the following command: 

    • tcpdump -n -s0 -p -i PortB | grep 'c71719d2\|cabd3fef'

    08:43:19.831272 PortB, OUT: IP 192.168.1.16.4500 > 52.225.xxx.xxx.4500: UDP-encap: ESP(spi=0xc71719d2,seq=0x499), length 136
    08:43:20.367136 PortB, OUT: IP 192.168.1.16.4500 > 52.225.xx.xx.4500: UDP-encap: ESP(spi=0xc71719d2,seq=0x49a), length 152
    08:43:20.409947 PortB, IN: IP 52.225.xxx.xxx.4500 > 192.168.1.16.4500: UDP-encap: ESP(spi=0xcabd3fef,seq=0x145), length 152
    08:43:20.995885 PortB, OUT: IP 192.168.1.16.4500 > 52.225.xxx.xxx.4500: UDP-encap: ESP(spi=0xc71719d2,seq=0x49b), length 152
    08:43:21.370021 PortB, OUT: IP 192.168.1.16.4500 > 52.225.xxx.xxx.4500: UDP-encap: ESP(spi=0xc71719d2,seq=0x49c), length 152
    08:43:21.408517 PortB, IN: IP 52.225.xxx.xx.4500 > 192.168.1.16.4500: UDP-encap: ESP(spi=0xcabd3fef,seq=0x146), length 152

    Thanks,

  • 0 in reply to FormerMember

    Well I still don't see the original source and target IPs but it does the trick so far, that I can at least verify, my traffic passes through the right tunnel.

    So I suggest to write an article on this in the knowledgebase if not already existing.
    I think this might be valuable to other admins too.
    Especially, when you have to juggle many VPNs and pass traffic from one to another, it's very helpful to have this at hand.
    Sometimes packets get lost somewhere and comands like this ease diagonsing such scenarios a lot.

    Best regards
    RanX

  • 0 in reply to RanX

    Actually did you try the packet capture on the GUI? It can show you the packets on the tunnel interface. 

  • 0 in reply to LuCar Toni

    As pointed out in my first answer, I want to know, if my traffic passes the right tunnel.
    If I got your colleague right, packet capture only shows me, that it goes to some tunnel (interface ipsec0).
    When I wan't to verify, it goes to a certain tunnel, this is only half the job.

    If packet capture allows a more detailed diagnosis on a single tunnel, I'm looking forward for instructions how to acheive this.

    Best Regards
    RanX

  • FormerMember
    0 FormerMember in reply to RanX

    Hi ,

    Check out the following KBA if you want to dig more into the encrypted traffic:

    If you want to capture traffic for specific tunnel you might have to use the destination public IP address along with the port 500.

    Thanks,

Reply Children
No Data