IPsec flows

Ciaran Deignan ciaran.deignan at netcelo.com
Wed Mar 12 11:02:17 EST 2003 

Hi All,

This is a beginner question (I hope).
My company does a lot of IPsec, so correctly handling
IPsec "flows" would be important. Our IPsec uses protocol
50 (ESP) and UDP port 500 (IKE).

I just installed argus and ran it. I'm not yet familair with
the display format, I'm still digesting the man pages.

I set the ARGUS_FLOW_STATUS_INTERVAL to 360. An fragment
of output from 'ra -r argus.out - esp' is in attachement...

The direction symbol is always "->". Does this mean that
Argus cannot or does not group incomming and outgoing
IPsec traffic together? Is Argus being super-intelligent,
selecting the flows by their SPI number? Or does it just
not like assembling flows it doesn't see very often?

Is it normal that the flows duration is always less than 360?
I'm not sure what my gateway was doing, but I'm pretty sure
the IPsec tunnel isn't being renegociated every 6 minutes (its
every 20 minutes, in theory)...

Thanks for any information,
Ciaran

-- 
+---------------------------------------------------------+
Ciaran Deignan                              04 38 49 87 27

Netcelo SA - IPsec VPN Solutions    http://www.netcelo.com/
18-20 rue Henri Barbusse - BP 2501, 38035 Grenoble Cedex 2
+---------------------------------------------------------+
-------------- next part --------------
# ra -c -r /var/log/argus/argus.out - esp
       Start_Time             Duration     Flgs  Type     SrcAddr    Sport  Dir       DstAddr    Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
03-03-12 13:49:37.746557        0.000000          esp  212.234.86.109        ->    213.30.141.251       1        0         678          0           TIM
03-03-12 13:50:00.899407      330.722199          esp  213.30.141.251        ->    212.234.86.109       66       0         10748        0           INT
03-03-12 13:50:00.969992      330.748050          esp  212.234.86.109        ->    213.30.141.251       73       0         15574        0           INT
03-03-12 13:59:02.478096      359.548425          esp  213.30.141.251        ->    212.234.86.109       123      0         20874        0           INT
03-03-12 13:59:02.540320      359.564713          esp  212.234.86.109        ->    213.30.141.251       130      0         25820        0           INT
03-03-12 14:05:02.668956      330.256058          esp  213.30.141.251        ->    212.234.86.109       64       0         10336        0           INT
03-03-12 14:05:02.745808      330.275202          esp  212.234.86.109        ->    213.30.141.251       71       0         15130        0           INT
03-03-12 14:19:41.728920        0.000000          esp  212.234.86.109        ->    213.30.141.251       1        0         686          0           TIM
03-03-12 14:15:00.804020       34.241331          esp  213.30.141.251        ->    212.234.86.109       33       0         5374         0           TIM
03-03-12 14:14:38.853547       56.289186          esp  212.234.86.109        ->    213.30.141.251       37       0         8126         0           TIM
03-03-12 14:20:00.751249      335.957877          esp  213.30.141.251        ->    212.234.86.109       66       0         10748        0           INT

More information about the argus mailing list