AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
- Subject: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
- From: Brendan Creane <email@hidden>
- Date: Tue, 8 Jun 2010 18:06:33 -0700
Hello All,
I have an interface filter that rewrites network traffic associated
with physical as well as most virtual network interfaces (e.g. Cisco
AnyConnect, OpenVPN's tun/tap, Juniper, etc.).
However for the utun0 network interface created by the Apple VPN
client (in Cisco IPSec mode), no traffic is visible to my interface
filter driver. The unencrypted traffic is also not visible to tcpdump,
so there's something interesting going on in terms of how the Apple
IPSec client is tunneling traffic to the remote end. The encrypted
(ESP) traffic is visible on en[01], but obviously not the unencrypted
traffic.
Interestingly the utun0 interface created by the Cisco AnyConnect
client works fine -- my interface filter (and tcpdump) can see the
unencrypted traffic associated with their version of utun0. The
unencrypted traffic associated with Apple PPTP client is visible as
well.
Does anyone have any insight into how the Apple VPN Cisco IPSec client
routes unencrypted traffic, and is it possible to see that traffic
before it's encrypted? I'm guessing there's a user-mode process or a
socket filter that's grabbing the traffic before BPF/interface filters
get a chance to inspect the traffic on utun0, but it would be helpful
to understand how it's working.
thanks for your assistance,
brendan creane
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden