Re: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
site_archiver@lists.apple.com Delivered-To: macnetworkprog@lists.apple.com Even if utun supports bpf, some VPNs may setup a virtual interface that is just used for routing. These VPNs are implemented as ip or interface layer filters that intercept the packet before they make it to the interface. -josh On Jun 9, 2010, at 9:50 AM, Dreamcat Four wrote:
On Wed, Jun 9, 2010 at 5:22 PM, Brendan Creane <bcreane@gmail.com> wrote:
The issue in a nutshell is that unlike most other VPN clients, Apple VPN in Cisco IPSec mode doesn't let tcpdump or interface filters see the unencrypted network traffic as it goes through (both up and down) the TCP/IP stack. I'm trying to understand how this VPN client is implemented to see if it's possible to rewrite the unencrypted traffic.
My guess is that Apple's implementation of utun0 and the surrounding infrastructure intercepts the unencrypted traffic higher in the stack (e.g. socket filter), before it can get down to the interface filter hooks.
Hmm, Well that sounds unintentional b/c normally tcpdump will let you see packets on most interface. But just providing you are the superuser / sudo privelidges (eg sudo tcpdump -i eth0). So we can expect that if you have root access, then it should be allowed from a security standpoint. Unless theres something especially different security-wise about this particular Cisco driver.
is the utun driver provided by cisco or apple/darwin? Is it compatible with the opensource tun/tap driver? (ie perhaps interchange with a better driver?)
In terms of a problem with the Apple tcp/ip stack, well that sounds like a good reason to ask here. But dont forget WWDC is on this week. So the guys who really might want to help you are probably too busy right now.
But hey, Cisco - they dont have a conference on so maybe they are also worth a shot? (Thats a pretty un-informed suggestion, btw).
:)
thanks, Brendan
On Wed, Jun 9, 2010 at 1:05 AM, Dreamcat Four <dreamcat4@gmail.com> wrote:
Hi Brendan,
About these specific VPN software. I was under the impression that each VPN client is responsible to create its own tap and/or tun interface when it launches. In the case of pppd, it will create and manage its own ptpp interface (ppp0).
$ netstat -rn
will give the routing tables. So you might grab that before starting any VPN clients, then comparing it to the routing table after the clients are started to see what changed.
My experience using multiple tun/tap based VPN clients has been a bad one. What I found was that each client tried to install its own tun/tap files to the same location (with incompatible version). And generally, having one VPN client installed broke the other one. And/or running multiple clients at the same time created a device conflict.
One thing you could answer for me please is what os and version of social vpn you are running? It looks like mac os-x. Which (again) I could not get working. It would really be a help to see someone confirm a working SocialVPN client on Mac.
Thanks
On Wed, Jun 9, 2010 at 2:06 AM, Brendan Creane <bcreane@gmail.com> wrote:
Hello All,
I have an interface filter that rewrites network traffic associated with physical as well as most virtual network interfaces (e.g. Cisco AnyConnect, OpenVPN's tun/tap, Juniper, etc.).
However for the utun0 network interface created by the Apple VPN client (in Cisco IPSec mode), no traffic is visible to my interface filter driver. The unencrypted traffic is also not visible to tcpdump, so there's something interesting going on in terms of how the Apple IPSec client is tunneling traffic to the remote end. The encrypted (ESP) traffic is visible on en[01], but obviously not the unencrypted traffic.
Interestingly the utun0 interface created by the Cisco AnyConnect client works fine -- my interface filter (and tcpdump) can see the unencrypted traffic associated with their version of utun0. The unencrypted traffic associated with Apple PPTP client is visible as well.
Does anyone have any insight into how the Apple VPN Cisco IPSec client routes unencrypted traffic, and is it possible to see that traffic before it's encrypted? I'm guessing there's a user-mode process or a socket filter that's grabbing the traffic before BPF/interface filters get a chance to inspect the traffic on utun0, but it would be helpful to understand how it's working.
thanks for your assistance, brendan creane _______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macnetworkprog/dreamcat4%40gmail.com
This email sent to dreamcat4@gmail.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macnetworkprog/jgraessley%40apple.com
This email sent to jgraessley@apple.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Macnetworkprog mailing list (Macnetworkprog@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/macnetworkprog/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com
participants (1)
-
Josh Graessley