[Openswan Users] both tunneled/encrypted traffic and decrypted traffic are seen in the package remote destination network interface

Martin T m4rtntns at gmail.com
Fri Dec 23 13:05:30 EST 2016


Hi,

look like this is indeed expected behavior:
https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg


regards,
Martin

On Thu, Dec 22, 2016 at 7:29 PM, Martin T <m4rtntns at gmail.com> wrote:
> Hi,
>
> I have configured site-to-site VPN connection between two servers and
> when I send ICMP "echo request" messages from "srv1" to "srv2" and
> tcpdump traffic on "srv2" with "tcpdump -nei eth0 not 'tcp port 22'"
> command, then I see following packages:
>
> 17:20:03.235088 84:b5:9c:f9:f0:30 > 7a:16:4e:85:51:ad, ethertype IPv4
> (0x0800), length 174: 187.166.74.145.4500 > 45.101.2.222.4500:
> UDP-encap: ESP(spi=0xd86852ae,seq=0x1), length 132
> 17:20:03.235088 84:b5:9c:f9:f0:30 > 7a:16:4e:85:51:ad, ethertype IPv4
> (0x0800), length 98: 187.166.74.145 > 10.10.12.1: ICMP echo request,
> id 30103, seq 1, length 64
>
> As seen above, for some reason both encrypted and decrypted packages
> are seen. I would expect only the encrypted package.
>
> However, if I do "tcpdump -nei eth0 not 'tcp port 22'" in "srv1", then
> I see only the tunneled/encrypted traffic as expected.
>
> What is the reason that tcpdump sees the decrypted traffic on eth0
> interface in "srv2"? Is this an expected behavior?
>
>
> thanks,
> Martin


More information about the Users mailing list