12-04-2007 07:30 PM - edited 03-03-2019 07:47 PM
Hi Experts,
Once done with the ipsec configuration, I would like to test and verify the traffic by using debug/show commands..
Any debug/show commands that can help me to differentiate non-encrypted and encrypted traffics?
OR
how can I observed which one is encrpted and non-encypted?
What I will do it to show the customer is to Ping from the network I want to encrypt and ping from the non-encypted network to proved the encryption working on the router end.
Thanks in advanced.
12-04-2007 07:52 PM
what type of devices are you using? i've seen ping reponse times increase by 10-20ms for IPSEC encrypted traffic:
non IPSEC encrypted traffic (just GRE):
Sending 5, 100-byte ICMP Echos to 10.1.200.100, timeout is 2 seconds:
Packet sent with a source address of 10.210.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/36 ms
IPSEC encrypted ping:
Sending 5, 100-byte ICMP Echos to 10.23.1.4, timeout is 2 seconds:
Packet sent with a source address of 10.21.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/88 ms
Average went up by 20ms. Source device was the same in both cases, and actually the destination device was an extra hop for the NON-IPSEC encrypted traffic.
-brad
(please rate the post if this helps!)
12-04-2007 08:23 PM
The command you are looking for is show crypto ipsec sa
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_s1h.htm#wp1209783
The counter will be displayed along with the interesting traffic.
12-04-2007 09:08 PM
Okie,Thanks guys..
I will come back to the forum again with my findings to let you all know about it.
Thanks again.
12-04-2007 09:16 PM
You're welcome. Show the customer the ping response differences. It makes a good impression. :)
G/L
-brad
(please rate the post if I helped ya!)
12-04-2007 10:17 PM
Brad,
Since you brought up this..well,
can I know what is the parameter below means for the echo/icmp ?
round-trip min/avg/max = 16/20/36 ms
And if customers ask why does "avg" differs if it is ipsec traffic, how will that the answer be?
Thanks!
12-04-2007 10:30 PM
avg = average response time in milliseconds. the average response time for the traffic through the IPSEC tunnel is going to be higher than the traffic not going through the tunnel. it's a great way to demonstrate which traffic is going through the ipsec tunnel.
-brad
(please rate the post if this helps!)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide