Re: [Ipsec-tools-devel] tcpdump interaction with IPSec

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Wed, Oct 01, 2008 at 01:47:44PM -0400, Stephen Clark wrote:
> VANHULLEBUS Yvan wrote:
[....]
>> On latest Linux versions I tried, you should see incoming ESP packet
>> AND decapsulated traffic with a tcpdump on the good interface without
>> specific options.
>>
>> If you don't see incoming ESP packets, you have some network issue to
>> solve first.
>>
> Hmmm.... I am running Fedora 8 with kernel 2.6.25.14-69.fc8 I only see the
> decapsulated data.
> pinging across the vpn tunnel:
> sudo tcpdump -nli eth5 icmp
> 13:39:33.076997 IP 10.0.129.1 > 192.168.2.1: ICMP echo request, id 39302, 
> seq 54, length 64
> 13:39:34.079003 IP 10.0.129.1 > 192.168.2.1: ICMP echo request, id 39302, 
> seq 55, length 64
> 13:39:35.084426 IP 10.0.129.1 > 192.168.2.1: ICMP echo request, id 39302, 
> seq 56, length 64
>
> eth5 is my interface that is directly connected to the Internet.

Of course: you set up "icmp" as a filter, so tcpdump won't show you
ESP packets (and optionnaly UDP 4500 packets).

Yvan.