Hi, > When I ping machine A from machine B, and I do 'tcpdump -i <dev> esp ‘ > I dont see ESP packets going bi directional but rather only the replies > from B to A. Is this the expected behavior of tcpdump in that case?
No. While you'll only see inbound plaintext packets (see [1]), you should see both ESP packets (unless one is sent/received over a different interface or only one direction uses UDP-encapsulation, which is unlikely). Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Capturing-outbound-plaintext-packets-with-tcpdumpwireshark