[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

Paul Wouters paul at xelerance.com
Tue Nov 16 21:32:22 EST 2010

On Tue, 16 Nov 2010, Michael Richardson wrote:

> I believe that the capture points in NETKEY are such that outgoing
> traffic is seen twice (one encrypted, one clear), and incoming traffic
> is only seen when encrypted.

The other way around :) Outoging you cannot see the encrypted packets. Incoming
you see both encrypted and decrypted, and they both appear to come from the 
same "source" mightilly confusing rp_filter so you're forced to do nasty


More information about the Users mailing list