[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

[Paul Wouters]

On Tue, 16 Nov 2010, Michael Richardson wrote:

> I believe that the capture points in NETKEY are such that outgoing
> traffic is seen twice (one encrypted, one clear), and incoming traffic
> is only seen when encrypted.

The other way around :) Outoging you cannot see the encrypted packets. Incoming
you see both encrypted and decrypted, and they both appear to come from the 
same "source" mightilly confusing rp_filter so you're forced to do nasty
MARKing.

Paul