How to dump the contents of an IPSec tunnel on StrongSwan with tcpdump

I've been doing a lot of work lately with StrongSwan and had a need to troubleshoot traffic passing through the tunnel.  I stumbled on this blog post which talks about how to do it with ESP packets, but we're running with NAT-T enabled on UDP port 4500.


With a minor modification, you can do it with UDP encapsulated traffic also.

Change the line that says:
tcpdump -vnni any -As0 -w /tmp/encrypt.pcap -- porto ESP
to 
tcpdump -vnni any -As0 -w /tmp/encrypt.pcap -- port 4500
You can then bring that pcap file in to Wireshark and follow the rest of the directions to decrypt the traffic.  You may need to fill in the SA info.  Make sure to add two SA's, one in each direction.  

That's it.  Then you can see all the traffic inside the tunnel.

Tags: