That daemon listens on divert socket (FreeBSD/OpenBSD specific). ESP packets will be decrypted and others will be sent further. Non-ESP packets are checked against security policies (SP) and encrypted with corresponding SA.
Because outgoing packets, coming to
divert port, have invalid
dummy checksums, ESPER calculates them explicitly for IPv4 (IPv6 does
not have checksum), TCP, UDP and ICMPv6 packets, before encapsulating.
Other protocol types possibly will have wrong checksum.
|• PCAP mode:|