Re: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
Re: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
- Subject: Re: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
- From: Dreamcat Four <email@hidden>
- Date: Wed, 9 Jun 2010 17:50:40 +0100
On Wed, Jun 9, 2010 at 5:22 PM, Brendan Creane <email@hidden> wrote:
> The issue in a nutshell is that unlike most other VPN clients, Apple
> VPN in Cisco IPSec mode doesn't let tcpdump or interface filters see
> the unencrypted network traffic as it goes through (both up and down)
> the TCP/IP stack. I'm trying to understand how this VPN client is
> implemented to see if it's possible to rewrite the unencrypted
> traffic.
>
> My guess is that Apple's implementation of utun0 and the surrounding
> infrastructure intercepts the unencrypted traffic higher in the stack
> (e.g. socket filter), before it can get down to the interface filter
> hooks.
Hmm,
Well that sounds unintentional b/c normally tcpdump will let you see
packets on most interface. But just providing you are the superuser /
sudo privelidges (eg sudo tcpdump -i eth0). So we can expect that if
you have root access, then it should be allowed from a security
standpoint. Unless theres something especially different security-wise
about this particular Cisco driver.
is the utun driver provided by cisco or apple/darwin? Is it compatible
with the opensource tun/tap driver? (ie perhaps interchange with a
better driver?)
In terms of a problem with the Apple tcp/ip stack, well that sounds
like a good reason to ask here. But dont forget WWDC is on this week.
So the guys who really might want to help you are probably too busy
right now.
But hey, Cisco - they dont have a conference on so maybe they are
also worth a shot? (Thats a pretty un-informed suggestion, btw).
:)
> thanks, Brendan
>
> On Wed, Jun 9, 2010 at 1:05 AM, Dreamcat Four <email@hidden> wrote:
>> Hi Brendan,
>>
>> About these specific VPN software. I was under the impression that
>> each VPN client is responsible to create its own tap and/or tun
>> interface when it launches. In the case of pppd, it will create and
>> manage its own ptpp interface (ppp0).
>>
>> $ netstat -rn
>>
>> will give the routing tables. So you might grab that before starting
>> any VPN clients, then comparing it to the routing table after the
>> clients are started to see what changed.
>>
>> My experience using multiple tun/tap based VPN clients has been a bad
>> one. What I found was that each client tried to install its own
>> tun/tap files to the same location (with incompatible version). And
>> generally, having one VPN client installed broke the other one. And/or
>> running multiple clients at the same time created a device conflict.
>>
>> One thing you could answer for me please is what os and version of
>> social vpn you are running? It looks like mac os-x. Which (again) I
>> could not get working. It would really be a help to see someone
>> confirm a working SocialVPN client on Mac.
>>
>> Thanks
>>
>> On Wed, Jun 9, 2010 at 2:06 AM, Brendan Creane <email@hidden> wrote:
>>> Hello All,
>>>
>>> I have an interface filter that rewrites network traffic associated
>>> with physical as well as most virtual network interfaces (e.g. Cisco
>>> AnyConnect, OpenVPN's tun/tap, Juniper, etc.).
>>>
>>> However for the utun0 network interface created by the Apple VPN
>>> client (in Cisco IPSec mode), no traffic is visible to my interface
>>> filter driver. The unencrypted traffic is also not visible to tcpdump,
>>> so there's something interesting going on in terms of how the Apple
>>> IPSec client is tunneling traffic to the remote end. The encrypted
>>> (ESP) traffic is visible on en[01], but obviously not the unencrypted
>>> traffic.
>>>
>>> Interestingly the utun0 interface created by the Cisco AnyConnect
>>> client works fine -- my interface filter (and tcpdump) can see the
>>> unencrypted traffic associated with their version of utun0. The
>>> unencrypted traffic associated with Apple PPTP client is visible as
>>> well.
>>>
>>> Does anyone have any insight into how the Apple VPN Cisco IPSec client
>>> routes unencrypted traffic, and is it possible to see that traffic
>>> before it's encrypted? I'm guessing there's a user-mode process or a
>>> socket filter that's grabbing the traffic before BPF/interface filters
>>> get a chance to inspect the traffic on utun0, but it would be helpful
>>> to understand how it's working.
>>>
>>> thanks for your assistance,
>>> brendan creane
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Macnetworkprog mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>>
>>
>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden