[Openswan Users] What is wrong: I can see clear text traffic from left to right

andy andy at andynet.net
Thu Mar 10 11:46:07 EST 2016 

You're seeing the ESP traffic after it's been decrypted. It's to do with the way that the packet
capture hooks into the kernel.
When using the netkey ipsec stack tcpdump will capture an incoming ESP packet twice, both
before and after it's decrypted. But outgoing is only seen after encryption.

If you capture at some point outside your ipsec servers you'll see only encrypted traffic.

This gets asked often - see https://lists.strongswan.org/pipermail/users/2012-June/003197.html for example.


On Thu, Mar 10, 2016 at 11:13:08AM +0200, Michael Furman wrote:
> Dear Openswan people,I need your help. I have started POC to enable Openswan in our product.Unfortunately I can see clear text traffic from left to right so it is kind of he critical problem that will prevent me from using of Openswan in the production. I have configured Openswan on CentOS 6 using the following instructions: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html  The final configuration is below: conn my-tunnel    ike=3des-md5    esp=3des-md5    left=172.16.0.2    leftnexthop=%defaultroute    leftrsasigkey=0...ww==    right=172.16.0.1    rightnexthop=%defaultroute    rightrsasigkey=0s...rQ==    authby=rsasig    keyingtries=10    # load and initiate automatically    compress=no    auto=start  I have tested the connection on both sides:tcpdump -n -i eth0 esp or udp port 500 or udp port 4500tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes10:02:00.444491 IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x8204b310,seq=0x26425), length 12410:02:00.445414 IP 172.16.0.1 > 172.16.0.2: ESP(spi=0xa68b20ef,seq=0x34e1d), length 84  tcpdump -n -i eth0 esp or udp port 500 or udp port 4500tcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes10:02:33.123685 IP 172.16.0.1 > 172.16.0.2: ESP(spi=0xa68b20ef,seq=0x34e4c), length 15610:02:33.132466 IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x8204b310,seq=0x26444), length 172   I suppose that any communication from left to right and vice versa will be encrypted by Openswan. I have started the chat server on the left: nc  -vv -l 172.16.0.2 1234 And then connected on the write: nc 172.16.0.2 1234  Unfortunately, when I capture the traffic using the following command I can see clear text traffic from left to right:tcpdump -vv -n -s0 -w ipsecchat.cap tcp port 1234  Please note that traffic from write to left is encrypted. What is wrong? Please help. 		 	   		  
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list