[Openswan Users] bad tcpdump output of ipsec traffic

Mon Oct 18 02:14:05 CEST 2004

On Mon, 18 Oct 2004, Vladimir Dvorak wrote:

> tcpdump -n -i ppp0:
> 1) 00:08:15.311865 IP 160.218.214.89 > a.b.c.d: ESP(spi=0xc7fb9fab,seq=0xb)
> 2) 00:08:16.227426 IP a.b.c.d > 160.218.214.89: ESP(spi=0x55b8f8aa,seq=0x6)
> 3) 00:08:16.227426 IP 10.0.0.20 > 192.168.10.132: icmp 64: echo reply seq 6
> 4) 00:08:16.311724 IP 160.218.214.89 > a.b.c.d: ESP(spi=0xc7fb9fab,seq=0xc)
> 5) 00:08:17.275456 IP a.b.c.d > 160.218.214.89: ESP(spi=0x55b8f8aa,seq=0x7)
> 6) 00:08:17.275456 IP 10.0.0.20 > 192.168.10.132: icmp 64: echo reply seq 7
> 7) 00:08:17.311578 IP 160.218.214.89 > a.b.c.d: ESP(spi=0xc7fb9fab,seq=0xd)
>
>
> How can I see line 3) and 6) ? These lines should be on ppp0 in encrypted

Welkom to the 2.6 native ipsec stack. It's normal. Use a router in the middle 
to confirm that indeed those packets do not leave your box unencrypted.

Paul