[strongSwan] Curious about why I can't see inbound packet with tcpdump

Tue Apr 22 10:08:52 CEST 2014

Answer my own question for other's reference.
It has been answered by
<http://wiki.strongswan.org/projects/strongswan/wiki/FAQ#General-Questions>,
but I just didn't realize that until I found this ticket
<http://wiki.strongswan.org/issues/470>.

More digging leads me to
<https://www.packtpub.com/sites/default/files/sample_chapters/openswan_chapter3_building_and_installing_openswan_0.pdf>,
which has more explanation:

[quote]
NETKEY also hooks into the networking code differently. Packets are
intercepted by the IPsec
stack after they are received on the physical ethX interface, and
magically reappear on the same
device in decrypted form. Packets that are being sent appear only in
encrypted form. This
complicates iptables-based firewall rules and can be confusing when
using tcpdump to debug
IPsec connections.
This interception also creates problems when using NAT and IPsec on
the same machine, since the
packet does not traverse through all the iptables as expected.
Unencrypted packets never travel the
POSTROUTING table. The netfilter patch-o-matic set of patches contains
fixes for this, but they
are being tested and are not yet ready for inclusion in the kernel.
[/quote]

On Tue, Apr 22, 2014 at 12:13 PM, ZHANG Cheng <czhang.oss at gmail.com> wrote:
> Hi,
>
> I just setup a proof of concept StrongSwan instance with the help of
> various references across Internet, and it works finally.
> During my setup, I use tcpdump to debug the outgoing traffic, and I
> found something I can't explain, so I'd like to ask knowledgeable
> folks in this list.
>
> My tcpdump output is like this:
> # tcpdump -nni eth0 -s 0 tcp port http
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
> 03:23:01.002667 IP 172.16.0.1.58591 > 202.106.169.188.80: Flags [S],
> seq 2395687962, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS
> val 871408526 ecr 0,sackOK,eol], length 0
> 03:23:01.002736 IP 10.0.1.101.58591 > 202.106.169.188.80: Flags [S],
> seq 2395687962, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS
> val 871408526 ecr 0,sackOK,eol], length 0
> 03:23:01.383449 IP 202.106.169.188.80 > 10.0.1.101.58591: Flags [S.],
> seq 4167962077, ack 2395687963, win 5840, options [mss
> 1460,nop,nop,sackOK,nop,wscale 7], length 0
>
> 10.0.1.101 is my eth0 IP, 172.16.0.0/24 is private subnet for VPN
> client (rightsourceip=172.16.0.0/24).
>
> I set iptables rules as:
>   iptables -t nat -A POSTROUTING -s 172.16.0.0/24 -o eth0 -j MASQUERADE
>   iptables -A FORWARD -s 172.16.0.0/24 -j ACCEPT
>
> Now I see outbound packet with src ip 172.16.0.1 NAT into src ip
> 10.0.1.101, but for corresponding inbound packet, I assume I should
> see "202.106.169.188.80 > 172.16.0.1.58591" after "202.106.169.188.80
>> 10.0.1.101.58591" but it doesn't show up this way. I am really
> curious about why.
>
> Thanks.