[Openswan Users] seeing a mix of TCP and ESP traffic. openswan to openswan
paul at xelerance.com
Wed Jul 14 14:44:24 EDT 2010
On Wed, 14 Jul 2010, Ryan McLeod wrote:
> I've got two ubuntu vms testing openswan to openswan in a site to site configuration, with a host on each side.
> Host 1 ------------------ Openswan1==tunnel==Openswan2-----------------Host2
> 192.168.1.5 x.x1.1 126.96.36.199 188.8.131.52 10.10.10.1 10.10.10.2
> When i send data via netcat from Host2 to Host1, im sniffing with wireshark on 184.108.40.206 on the openswan1 machine. And what i'll see is an ESP
> packet for 220.127.116.11 to 18.104.22.168 then two TCP packet that are 10.10.10.2 to 192.168.1.5. It's not in a 1 by one manner. There will often be
> two TCP then one ESP packets in the stream.
> Is this behavour normal? I would expect all the traffic to be seen as encrypted ESP data.
With NETKEY, you will see with tcpdump:
- outgoing unencrpyted packets
- incoming encrypted packets
- incoming decrypted packets
You will not see outgoing encrypted packets.
I dont understand your 2-1 mapping, unless you are counting the
incoming encrypted + decryped as 2 packets instead of 1.
More information about the Users