[Openswan Users] Seeing the ipsec traffic in clear

Paul Wouters paul at xelerance.com
Tue Sep 15 08:54:34 EDT 2009

On Tue, 15 Sep 2009, Ricky Maiser wrote:

> Now something strange happens:
> When I capture the network traffic on Host A's eth0 I can see the encrypted
> ESP packets but also the cleartext packets send from Host B.
> I do not see the cleartext packets send from Host A. I only
> see the encrypted ESP packets from Host A.

You're not strange. The Linux people who designed that were strange. It's
normal behaviour with NETKEY.

> I would like to capture the cleartext packets on Host A that
> are send out before they are encrypted with ipsec.
> What tricks can I use?

One trick that sometimes works is to create an old-style ip alias and
run tcdpump there. So if eth0 is your outgoing interface, try:

ifconfig eth0:1
tcpdump -i eth0:1 -n

It's total voodoo. But not our voodoo.


More information about the Users mailing list