[strongSwan] Why can I only see incoming un-encrypted traffic ? Outgoing cleartext traffic is not visible on the strongswan box.

Charles-Edouard Ruault cer at maeglin.com
Thu Aug 27 17:13:18 CEST 2015


Hi All,
I have several production set-ups where the StrongSwan endpoint and the process sending traffic over the VPN sit on the same box. 
For some of them, the StrongSwan endpoint uses the same IP as the one used by the process communicating with machines on the other end of the tunnel.

Everything works fine and the traffic flows as expected over the VPN. 
The only problem I have is that when I want to monitor cleartext traffic on my end of the tunnel, I only see incoming packets (sent from the machines at the other end of the tunnel), I cannot see any packets that I’m sending (but they are sent and received by the other end). 
It makes it very hard to troubleshoot application issues. 
Does anyone knows if there’s a way to capture trafic in both directions ? What’s the reason for this ? 
Here’s an example:

One machine with public IP A establishes a tunnel with a remote machine with IP B. 
A gets assigned a virtual IP 10.2.0.4 from the remote strongswan gateway. The remote network behind B is 10.1.0.0/24
So it appears as:

10.2.0.4—A=====B-10.1.0.0/24

The only thing to note is that A & C are on the same box. 
Then from 10.2.0.4 I ping 10.1.0.7, ping works fine (see trace). 
However when I use tcpdump to capture cleartext traffic I only see packets sent from 10.1.0.7 to C and I do not see packets coming from 10.2.0.4 and going to 10.1.0.7

On 10.2.0.4 (same box as the VPN endpoint): 
ping 10.1.0.7
PING 10.1.0.7 (10.1.0.7) 56(84) bytes of data.
64 bytes from 10.1.0.7: icmp_seq=1 ttl=63 time=23.9 ms
64 bytes from 10.1.0.7: icmp_seq=2 ttl=63 time=8.08 ms
64 bytes from 10.1.0.7: icmp_seq=3 ttl=63 time=8.41 ms
64 bytes from 10.1.0.7: icmp_seq=4 ttl=63 time=8.34 ms
64 bytes from 10.1.0.7: icmp_seq=5 ttl=63 time=8.19 ms
64 bytes from 10.1.0.7: icmp_seq=6 ttl=63 time=8.69 ms
64 bytes from 10.1.0.7: icmp_seq=7 ttl=63 time=7.94 ms
64 bytes from 10.1.0.7: icmp_seq=8 ttl=63 time=8.38 ms
64 bytes from 10.1.0.7: icmp_seq=9 ttl=63 time=8.41 ms

And a tcpdump listening on the public interface (A):

tcpdump -n host 10.1.0.7
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
17:09:18.358444 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 1, length 64
17:09:19.359692 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 2, length 64
17:09:20.361430 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 3, length 64
17:09:21.387503 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 4, length 64
17:09:22.363721 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 5, length 64
17:09:23.365462 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 6, length 64
17:09:24.366464 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 7, length 64
17:09:25.367466 IP 10.1.0.7 > 10.2.0.4: ICMP echo reply, id 31543, seq 8, length 64


StrongSwan version on host A is 5.3.2 (on Fedora 21) but I have the same behavior on debian 6 running StrongSwan 4.4.1
Can anyone shade some light on this behavior ? Is there a way to get the full trafic ? 
Thanks for your help !
 



More information about the Users mailing list