[Openswan Users] bad tcpdump output of ipsec traffic

Vladimir Dvorak dvorakv at vdsoft.org
Mon Oct 18 01:26:52 CEST 2004 

Hi everybody!

I am not sure it is right place to ask here.

Problem description: I am confused with tcpdump output during ppp0 
sniffing on ESP encypted traffic.


192.168.10.132/32 ... 160.218.214.89  <--------------> a.b.c.d.e ..... 
10.0.0.0/24

When I ping 10.0.0.20 (some host in other network), I get

tcpdump -n -i ppp0:
1) 00:08:15.311865 IP 160.218.214.89 > a.b.c.d: ESP(spi=0xc7fb9fab,seq=0xb)
2) 00:08:16.227426 IP a.b.c.d > 160.218.214.89: ESP(spi=0x55b8f8aa,seq=0x6)
3) 00:08:16.227426 IP 10.0.0.20 > 192.168.10.132: icmp 64: echo reply seq 6
4) 00:08:16.311724 IP 160.218.214.89 > a.b.c.d: ESP(spi=0xc7fb9fab,seq=0xc)
5) 00:08:17.275456 IP a.b.c.d > 160.218.214.89: ESP(spi=0x55b8f8aa,seq=0x7)
6) 00:08:17.275456 IP 10.0.0.20 > 192.168.10.132: icmp 64: echo reply seq 7
7) 00:08:17.311578 IP 160.218.214.89 > a.b.c.d: ESP(spi=0xc7fb9fab,seq=0xd)


How can I see line 3) and 6) ? These lines should be on ppp0 in 
encrypted form with ESP protocol ? And what more, these IP addresses are 
not routed in Internet and sould be encapsulated also. I gues it is 
libpcap or tcpdump problem.

ipsec.conf on both gateways is the same:
- - - - CUT- - - -

conn  laptop-network
      left=a.b.c.d
      leftsubnet=10.0.0.0/24
      leftcert=/etc/ipsec.d/certs/aron.pem
      right=%defaultroute
      rightsubnet=192.168.10.132/32
      rightcert=/etc/ipsec.d/certs/laptop.pem
      auto=add
- - - - CUT - - - - -

And IPsec kernel stack :

laptop:/home/dvorakv# setkey -c
spddump;
10.0.0.0/24[any] 192.168.10.132[any] any
        in ipsec
        esp/tunnel/a.b.c.d.e-160.218.214.89/unique#16389
        created: Oct 18 00:04:17 2004  lastused: Oct 18 00:20:09 2004
        lifetime: 0(s) validtime: 0(s)
        spid=168 seq=12 pid=5015
        refcnt=2
192.168.10.132[any] 10.0.0.0/24[any] any
        out ipsec
        esp/tunnel/160.218.214.89-a.b.c.d/unique#16389
        created: Oct 18 00:04:17 2004  lastused: Oct 18 00:20:09 2004
        lifetime: 0(s) validtime: 0(s)
        spid=185 seq=11 pid=5015
        refcnt=2
10.0.0.0/24[any] 192.168.10.132[any] any
        fwd ipsec
        esp/tunnel/a.b.c.d-160.218.214.89/unique#16389
        created: Oct 18 00:04:17 2004  lastused:                    
        lifetime: 0(s) validtime: 0(s)
        spid=178 seq=10 pid=5015
        refcnt=1



I use Debian unstable with :

kernel            2.6.8-1-686
tcpdump         3.8.3-3
openswan       2.2.0-4



Thank you to have a look.

Vladimir

-- 
* VDSOFT.ORG           dvorakv at vdsoft.org      *
* (+420) 602 944 941     http://www.vdsoft.org *

More information about the Users mailing list