[Openswan Users] both tunneled/encrypted traffic and decrypted traffic are seen in the package remote destination network interface

Martin T m4rtntns at gmail.com
Thu Dec 22 12:29:17 EST 2016


Hi,

I have configured site-to-site VPN connection between two servers and
when I send ICMP "echo request" messages from "srv1" to "srv2" and
tcpdump traffic on "srv2" with "tcpdump -nei eth0 not 'tcp port 22'"
command, then I see following packages:

17:20:03.235088 84:b5:9c:f9:f0:30 > 7a:16:4e:85:51:ad, ethertype IPv4
(0x0800), length 174: 187.166.74.145.4500 > 45.101.2.222.4500:
UDP-encap: ESP(spi=0xd86852ae,seq=0x1), length 132
17:20:03.235088 84:b5:9c:f9:f0:30 > 7a:16:4e:85:51:ad, ethertype IPv4
(0x0800), length 98: 187.166.74.145 > 10.10.12.1: ICMP echo request,
id 30103, seq 1, length 64

As seen above, for some reason both encrypted and decrypted packages
are seen. I would expect only the encrypted package.

However, if I do "tcpdump -nei eth0 not 'tcp port 22'" in "srv1", then
I see only the tunneled/encrypted traffic as expected.

What is the reason that tcpdump sees the decrypted traffic on eth0
interface in "srv2"? Is this an expected behavior?


thanks,
Martin


More information about the Users mailing list