[strongSwan] Curious about why I can't see inbound packet with tcpdump

Noel Kuntze noel at familie-kuntze.de
Tue Apr 22 11:28:16 CEST 2014

Hash: SHA1

Hello Zhang,

[1] graph shows the path packets follow in the netfilter part of the Linux kernel, which also shows, why it doesn't work as expected.

[1] http://inai.de/images/nf-packet-flow.png

Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 22.04.2014 10:08, schrieb ZHANG Cheng:
> Answer my own question for other's reference.
> It has been answered by
> <http://wiki.strongswan.org/projects/strongswan/wiki/FAQ#General-Questions>,
> but I just didn't realize that until I found this ticket
> <http://wiki.strongswan.org/issues/470>.
> More digging leads me to
> <https://www.packtpub.com/sites/default/files/sample_chapters/openswan_chapter3_building_and_installing_openswan_0.pdf>,
> which has more explanation:
> [quote]
> NETKEY also hooks into the networking code differently. Packets are
> intercepted by the IPsec
> stack after they are received on the physical ethX interface, and
> magically reappear on the same
> device in decrypted form. Packets that are being sent appear only in
> encrypted form. This
> complicates iptables-based firewall rules and can be confusing when
> using tcpdump to debug
> IPsec connections.
> This interception also creates problems when using NAT and IPsec on
> the same machine, since the
> packet does not traverse through all the iptables as expected.
> Unencrypted packets never travel the
> POSTROUTING table. The netfilter patch-o-matic set of patches contains
> fixes for this, but they
> are being tested and are not yet ready for inclusion in the kernel.
> [/quote]
> On Tue, Apr 22, 2014 at 12:13 PM, ZHANG Cheng <czhang.oss at gmail.com> wrote:
>> Hi,
>> I just setup a proof of concept StrongSwan instance with the help of
>> various references across Internet, and it works finally.
>> During my setup, I use tcpdump to debug the outgoing traffic, and I
>> found something I can't explain, so I'd like to ask knowledgeable
>> folks in this list.
>> My tcpdump output is like this:
>> # tcpdump -nni eth0 -s 0 tcp port http
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>> 03:23:01.002667 IP > Flags [S],
>> seq 2395687962, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS
>> val 871408526 ecr 0,sackOK,eol], length 0
>> 03:23:01.002736 IP > Flags [S],
>> seq 2395687962, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS
>> val 871408526 ecr 0,sackOK,eol], length 0
>> 03:23:01.383449 IP > Flags [S.],
>> seq 4167962077, ack 2395687963, win 5840, options [mss
>> 1460,nop,nop,sackOK,nop,wscale 7], length 0
>> is my eth0 IP, is private subnet for VPN
>> client (rightsourceip=
>> I set iptables rules as:
>>   iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE
>>   iptables -A FORWARD -s -j ACCEPT
>> Now I see outbound packet with src ip NAT into src ip
>>, but for corresponding inbound packet, I assume I should
>> see " >" after "
>>>" but it doesn't show up this way. I am really
>> curious about why.
>> Thanks.
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/


More information about the Users mailing list