[strongSwan] Curious about why I can't see inbound packet with tcpdump

ZHANG Cheng czhang.oss at gmail.com
Tue Apr 22 06:13:24 CEST 2014


Hi,

I just setup a proof of concept StrongSwan instance with the help of
various references across Internet, and it works finally.
During my setup, I use tcpdump to debug the outgoing traffic, and I
found something I can't explain, so I'd like to ask knowledgeable
folks in this list.

My tcpdump output is like this:
# tcpdump -nni eth0 -s 0 tcp port http
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
03:23:01.002667 IP 172.16.0.1.58591 > 202.106.169.188.80: Flags [S],
seq 2395687962, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS
val 871408526 ecr 0,sackOK,eol], length 0
03:23:01.002736 IP 10.0.1.101.58591 > 202.106.169.188.80: Flags [S],
seq 2395687962, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS
val 871408526 ecr 0,sackOK,eol], length 0
03:23:01.383449 IP 202.106.169.188.80 > 10.0.1.101.58591: Flags [S.],
seq 4167962077, ack 2395687963, win 5840, options [mss
1460,nop,nop,sackOK,nop,wscale 7], length 0

10.0.1.101 is my eth0 IP, 172.16.0.0/24 is private subnet for VPN
client (rightsourceip=172.16.0.0/24).

I set iptables rules as:
  iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE
  iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT

Now I see outbound packet with src ip 172.16.0.1 NAT into src ip
10.0.1.101, but for corresponding inbound packet, I assume I should
see "202.106.169.188.80 > 172.16.0.1.58591" after "202.106.169.188.80
> 10.0.1.101.58591" but it doesn't show up this way. I am really
curious about why.

Thanks.


More information about the Users mailing list