IPsec flows

Peter Van Epp vanepp at sfu.ca
Wed Mar 12 11:25:30 EST 2003 

	The likely answer is indeed that the SPIs in and out are different 
(they are on our VPN) and thus argus treats them as different flows each way.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Wed, Mar 12, 2003 at 05:02:17PM +0100, Ciaran Deignan wrote:
> 
> Hi All,
> 
> This is a beginner question (I hope).
> My company does a lot of IPsec, so correctly handling
> IPsec "flows" would be important. Our IPsec uses protocol
> 50 (ESP) and UDP port 500 (IKE).
> 
> I just installed argus and ran it. I'm not yet familair with
> the display format, I'm still digesting the man pages.
> 
> I set the ARGUS_FLOW_STATUS_INTERVAL to 360. An fragment
> of output from 'ra -r argus.out - esp' is in attachement...
> 
> The direction symbol is always "->". Does this mean that
> Argus cannot or does not group incomming and outgoing
> IPsec traffic together? Is Argus being super-intelligent,
> selecting the flows by their SPI number? Or does it just
> not like assembling flows it doesn't see very often?
> 
> Is it normal that the flows duration is always less than 360?
> I'm not sure what my gateway was doing, but I'm pretty sure
> the IPsec tunnel isn't being renegociated every 6 minutes (its
> every 20 minutes, in theory)...
> 
> Thanks for any information,
> Ciaran
> 
> -- 
> +---------------------------------------------------------+
> Ciaran Deignan                              04 38 49 87 27
> 
> Netcelo SA - IPsec VPN Solutions    http://www.netcelo.com/
> 18-20 rue Henri Barbusse - BP 2501, 38035 Grenoble Cedex 2
> +---------------------------------------------------------+
> # ra -c -r /var/log/argus/argus.out - esp
>        Start_Time             Duration     Flgs  Type     SrcAddr    Sport  Dir       DstAddr    Dport  SrcPkt   Dstpkt    SrcBytes     DstBytes   State
> 03-03-12 13:49:37.746557        0.000000          esp  212.234.86.109        ->    213.30.141.251       1        0         678          0           TIM
> 03-03-12 13:50:00.899407      330.722199          esp  213.30.141.251        ->    212.234.86.109       66       0         10748        0           INT
> 03-03-12 13:50:00.969992      330.748050          esp  212.234.86.109        ->    213.30.141.251       73       0         15574        0           INT
> 03-03-12 13:59:02.478096      359.548425          esp  213.30.141.251        ->    212.234.86.109       123      0         20874        0           INT
> 03-03-12 13:59:02.540320      359.564713          esp  212.234.86.109        ->    213.30.141.251       130      0         25820        0           INT
> 03-03-12 14:05:02.668956      330.256058          esp  213.30.141.251        ->    212.234.86.109       64       0         10336        0           INT
> 03-03-12 14:05:02.745808      330.275202          esp  212.234.86.109        ->    213.30.141.251       71       0         15130        0           INT
> 03-03-12 14:19:41.728920        0.000000          esp  212.234.86.109        ->    213.30.141.251       1        0         686          0           TIM
> 03-03-12 14:15:00.804020       34.241331          esp  213.30.141.251        ->    212.234.86.109       33       0         5374         0           TIM
> 03-03-12 14:14:38.853547       56.289186          esp  212.234.86.109        ->    213.30.141.251       37       0         8126         0           TIM
> 03-03-12 14:20:00.751249      335.957877          esp  213.30.141.251        ->    212.234.86.109       66       0         10748        0           INT

More information about the argus mailing list