Re: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
Re: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
- Subject: Re: AppleVPN / Cisco IPSec traffic not visible via virtual network interface (utun0)
- From: Josh Graessley <email@hidden>
- Date: Wed, 09 Jun 2010 10:00:11 -0700
Even if utun supports bpf, some VPNs may setup a virtual interface that is just used for routing. These VPNs are implemented as ip or interface layer filters that intercept the packet before they make it to the interface.
-josh
On Jun 9, 2010, at 9:50 AM, Dreamcat Four wrote:
> On Wed, Jun 9, 2010 at 5:22 PM, Brendan Creane <email@hidden> wrote:
>> The issue in a nutshell is that unlike most other VPN clients, Apple
>> VPN in Cisco IPSec mode doesn't let tcpdump or interface filters see
>> the unencrypted network traffic as it goes through (both up and down)
>> the TCP/IP stack. I'm trying to understand how this VPN client is
>> implemented to see if it's possible to rewrite the unencrypted
>> traffic.
>>
>> My guess is that Apple's implementation of utun0 and the surrounding
>> infrastructure intercepts the unencrypted traffic higher in the stack
>> (e.g. socket filter), before it can get down to the interface filter
>> hooks.
>
> Hmm,
> Well that sounds unintentional b/c normally tcpdump will let you see
> packets on most interface. But just providing you are the superuser /
> sudo privelidges (eg sudo tcpdump -i eth0). So we can expect that if
> you have root access, then it should be allowed from a security
> standpoint. Unless theres something especially different security-wise
> about this particular Cisco driver.
>
> is the utun driver provided by cisco or apple/darwin? Is it compatible
> with the opensource tun/tap driver? (ie perhaps interchange with a
> better driver?)
>
> In terms of a problem with the Apple tcp/ip stack, well that sounds
> like a good reason to ask here. But dont forget WWDC is on this week.
> So the guys who really might want to help you are probably too busy
> right now.
>
> But hey, Cisco - they dont have a conference on so maybe they are
> also worth a shot? (Thats a pretty un-informed suggestion, btw).
>
> :)
>
>> thanks, Brendan
>>
>> On Wed, Jun 9, 2010 at 1:05 AM, Dreamcat Four <email@hidden> wrote:
>>> Hi Brendan,
>>>
>>> About these specific VPN software. I was under the impression that
>>> each VPN client is responsible to create its own tap and/or tun
>>> interface when it launches. In the case of pppd, it will create and
>>> manage its own ptpp interface (ppp0).
>>>
>>> $ netstat -rn
>>>
>>> will give the routing tables. So you might grab that before starting
>>> any VPN clients, then comparing it to the routing table after the
>>> clients are started to see what changed.
>>>
>>> My experience using multiple tun/tap based VPN clients has been a bad
>>> one. What I found was that each client tried to install its own
>>> tun/tap files to the same location (with incompatible version). And
>>> generally, having one VPN client installed broke the other one. And/or
>>> running multiple clients at the same time created a device conflict.
>>>
>>> One thing you could answer for me please is what os and version of
>>> social vpn you are running? It looks like mac os-x. Which (again) I
>>> could not get working. It would really be a help to see someone
>>> confirm a working SocialVPN client on Mac.
>>>
>>> Thanks
>>>
>>> On Wed, Jun 9, 2010 at 2:06 AM, Brendan Creane <email@hidden> wrote:
>>>> Hello All,
>>>>
>>>> I have an interface filter that rewrites network traffic associated
>>>> with physical as well as most virtual network interfaces (e.g. Cisco
>>>> AnyConnect, OpenVPN's tun/tap, Juniper, etc.).
>>>>
>>>> However for the utun0 network interface created by the Apple VPN
>>>> client (in Cisco IPSec mode), no traffic is visible to my interface
>>>> filter driver. The unencrypted traffic is also not visible to tcpdump,
>>>> so there's something interesting going on in terms of how the Apple
>>>> IPSec client is tunneling traffic to the remote end. The encrypted
>>>> (ESP) traffic is visible on en[01], but obviously not the unencrypted
>>>> traffic.
>>>>
>>>> Interestingly the utun0 interface created by the Cisco AnyConnect
>>>> client works fine -- my interface filter (and tcpdump) can see the
>>>> unencrypted traffic associated with their version of utun0. The
>>>> unencrypted traffic associated with Apple PPTP client is visible as
>>>> well.
>>>>
>>>> Does anyone have any insight into how the Apple VPN Cisco IPSec client
>>>> routes unencrypted traffic, and is it possible to see that traffic
>>>> before it's encrypted? I'm guessing there's a user-mode process or a
>>>> socket filter that's grabbing the traffic before BPF/interface filters
>>>> get a chance to inspect the traffic on utun0, but it would be helpful
>>>> to understand how it's working.
>>>>
>>>> thanks for your assistance,
>>>> brendan creane
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Macnetworkprog mailing list (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>>
>>>
>>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macnetworkprog mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden