[Openswan Users] seeing a mix of TCP and ESP traffic. openswan to openswan

Paul Wouters paul at xelerance.com
Wed Jul 14 14:44:24 EDT 2010

On Wed, 14 Jul 2010, Ryan McLeod wrote:

> I've got two ubuntu vms testing openswan to openswan in a site to site configuration, with a host on each side.
> Host 1 ------------------ Openswan1==tunnel==Openswan2-----------------Host2
>      x.x1.1
> When i send data via netcat from Host2 to Host1, im sniffing with wireshark on on the openswan1 machine. And what i'll see is an ESP
> packet for to then two TCP packet that are to It's not in a 1 by one manner. There will often be
> two TCP then one ESP packets in the stream.
> Is this behavour normal? I would expect all the traffic to be seen as encrypted ESP data.

With NETKEY, you will see with tcpdump:
- outgoing unencrpyted packets
- incoming encrypted packets
- incoming decrypted packets

You will not see outgoing encrypted packets.

I dont understand your 2-1 mapping, unless you are counting the
incoming encrypted + decryped as 2 packets instead of 1.


More information about the Users mailing list