[Openswan Users] Seeing the ipsec traffic in clear

Paul Wouters paul at xelerance.com
Tue Sep 15 08:54:34 EDT 2009


On Tue, 15 Sep 2009, Ricky Maiser wrote:

> Now something strange happens:
>
> When I capture the network traffic on Host A's eth0 I can see the encrypted
> ESP packets but also the cleartext packets send from Host B.
>
> I do not see the cleartext packets send from Host A. I only
> see the encrypted ESP packets from Host A.

You're not strange. The Linux people who designed that were strange. It's
normal behaviour with NETKEY.

> I would like to capture the cleartext packets on Host A that
> are send out before they are encrypted with ipsec.
>
> What tricks can I use?

One trick that sometimes works is to create an old-style ip alias and
run tcdpump there. So if eth0 is your outgoing interface, try:

ifconfig eth0:1 1.2.3.4
tcpdump -i eth0:1 -n

It's total voodoo. But not our voodoo.

Paul


More information about the Users mailing list