Analyzing traffic over the IPSEC Interface

  • I have two offices connected together over an IPSEC tunnel.

    Site A - pfSense embedded 1.2.2 > ALIX Board with HiFN Crypto > PPPOE DSL Modem (7Mbit Down 512k Up).

    Site B - pfsense embedded 1.2 > ALIX Board with HiFN Crypto > Half Bridge DSL Modem (4Mbit Down 512k Up).

    I am having an issue with a lot of traffic being sent from Site A to Site B, efectivley flooding the 512k up at site A, causing network slowdown for other services such as remote TS logins over the wan to the TS server at site A.

    Is there an easy way to analyze traffic over the IPSEC interface, or even analise all traffic over the LAN interface on the pfSense box? Can I do something like export sflow data to an analysis server at Site A where I could run reports and identify the source and destination IP addresses and the amount of data being sent?

    Any help or pointers would be appreciated.

  • You can listen on enc0 with tcpdump instead of the physical interface; all encrypted traffic will pass through this virtual interface before the crypto is applied.

    pfSense seems to default to masking all of it via sysctl tunables however, so read enc(4) in the manual and adjust the tunables as necessary to see the traffic. The example below should show you what you want to see:

    sysctl -e net.enc.out.ipsec_bpf_mask=0x1
    sysctl -e net.enc.out.ipsec_filter_mask=0x1
    sysctl -e
    sysctl -e