[Openswan Users] debugging - need to decrypt packet

jacp1 at cam.ac.uk jacp1 at cam.ac.uk
Thu Jul 14 15:16:02 CEST 2005

I'm using openswan 1.0.9 (as part of IPcop 1.4.6).  I'm trying to debug an
issue with this firewall and the Equinux VPN tracker (a vpn client) on
Macintosh and it would be very useful if I could look at the contents of
the ESP packets.

The two obvious approaches would seem to be: connect with null encryption
in phase2 - or decrypt tcpdumped packets myself.

I've tried setting null encryption in ipsec.conf by setting


and then setting VPNtracker to 'no encryption' for phase 2 but Openswan
seems to be refusing this request (no proposal chosen). Is there a global
switch I need to set to allow null encryption? I've seen references to
kernel parameters for this but can't find any info.

So far as the second approach goes - I would need to know the session key
(and presumably initialisation vector) and I don't know how to get this -
can they be got from running klips (or pluto?) in debugging mode and if
so, where in the output would it be (I can't see anything obvious to me).


More information about the Users mailing list