[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

Michael Richardson mcr at sandelman.ca
Tue Nov 16 20:51:03 EST 2010

>>>>> "Kevin" == Kevin Wilson <wkevils at gmail.com> writes:
    Kevin> Hi,
    Kevin> I want to verify one point - and it could be that I am wrong at it:
    Kevin> tcpdump -E will **not** decrypt ESP when using netkey (built-in kernel
    Kevin> IPsec). This will work only with klips.

tcpdump -E, with the right keys, will decrypt any ESP packet that
tcpdump can capture.  You could be sniffing traffic from the network
between a Cisco VPN3K and a windows7 machine... if you have the keys,
you can decrypt.

    Kevin> Am i right about it ?

The major difference between netkey and KLIPS is that KLIPS gives you
very clear capture points:
     "eth1" (outside interface) capture is always encrypted.
     "ipsec0"  interface is already/not-yet encrypted.

I believe that the capture points in NETKEY are such that outgoing
traffic is seen twice (one encrypted, one clear), and incoming traffic
is only seen when encrypted.

    Kevin> This is what I understand from http://seclists.org/tcpdump/2009/q1/87.

so, that's an email from me, where I say what I just said.

]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition. 

More information about the Users mailing list