site_archiver@lists.apple.com Delivered-To: macnetworkprog@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:content-type; bh=hTTYInCKsD3WXwSbQa3InXQ9aPu/cQYtOSemRASMzow=; b=O1IdEbZPvL2RbdM2M+3/aqTTWAhmQ2C0KbJOpc7uNT4zGGjJU9tyhawPq9L2bwRnkp 29kybA4RvkHeoYerVAoEA/FyWLNlp+6p2ZjDzNMEJwzxjTrtc9oogFVOdzWIWzzReDWn rPjWJHy7xp2qVdriIMnl1ogsrPldHtPpWlaC4= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=AlmIwlT2b1M7HSaQ3NmjGyer1PplhN46qS6vO+MFbAazoLnKK7NPgcy8ag+1F4yD1x AX1LGK/FFztmHQUc69pDFSQcZbgsISdI1qLkxhHPzQfP6TUOHuI9mN1FYk0G8plgPG0Q IqWHCgqaY6Q0xBRAaUVj+PrsF+fZAlRt8oPnE= Hello All, I have an interface filter that rewrites network traffic associated with physical as well as most virtual network interfaces (e.g. Cisco AnyConnect, OpenVPN's tun/tap, Juniper, etc.). However for the utun0 network interface created by the Apple VPN client (in Cisco IPSec mode), no traffic is visible to my interface filter driver. The unencrypted traffic is also not visible to tcpdump, so there's something interesting going on in terms of how the Apple IPSec client is tunneling traffic to the remote end. The encrypted (ESP) traffic is visible on en[01], but obviously not the unencrypted traffic. Interestingly the utun0 interface created by the Cisco AnyConnect client works fine -- my interface filter (and tcpdump) can see the unencrypted traffic associated with their version of utun0. The unencrypted traffic associated with Apple PPTP client is visible as well. Does anyone have any insight into how the Apple VPN Cisco IPSec client routes unencrypted traffic, and is it possible to see that traffic before it's encrypted? I'm guessing there's a user-mode process or a socket filter that's grabbing the traffic before BPF/interface filters get a chance to inspect the traffic on utun0, but it would be helpful to understand how it's working. thanks for your assistance, brendan creane _______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macnetworkprog/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com