[strongSwan] Wireshark: cannot see outgoing IPsec packets

Daniel Mentz danielml+mailinglists.strongswan at sent.com
Sat May 21 07:17:19 CEST 2011

On 05/20/2011 08:45 AM, Richard Chan wrote:
> Using wireshark and trying to sniff the cleartext packet, I can only see
> incoming packets.

That's a peculiarity of the Linux kernel. Capture the (UDP encapsulated) 
ESP packets and use wireshark to decrypt them. See


Run the following command to determine the encryption algorithms and the 
symmetric keys used by the kernel. Depending on your configuration, 
strongSwan periodically changes encryption keys. Keep this in mind if 
you're capturing traffic over an extended period of time.

ip xfrm state


More information about the Users mailing list