[strongSwan] Wireshark: cannot see outgoing IPsec packets
Daniel Mentz
danielml+mailinglists.strongswan at sent.com
Sat May 21 07:17:19 CEST 2011
On 05/20/2011 08:45 AM, Richard Chan wrote:
> Using wireshark and trying to sniff the cleartext packet, I can only see
> incoming packets.
That's a peculiarity of the Linux kernel. Capture the (UDP encapsulated)
ESP packets and use wireshark to decrypt them. See
http://wiki.wireshark.org/ESP_Preferences
Run the following command to determine the encryption algorithms and the
symmetric keys used by the kernel. Depending on your configuration,
strongSwan periodically changes encryption keys. Keep this in mind if
you're capturing traffic over an extended period of time.
ip xfrm state
-Daniel
More information about the Users
mailing list