12-04-2007 07:30 PM - edited 03-03-2019 07:47 PM
Hi Experts,
Once done with the ipsec configuration, I would like to test and verify the traffic by using debug/show commands..
Any debug/show commands that can help me to differentiate non-encrypted and encrypted traffics?
OR
how can I observed which one is encrpted and non-encypted?
What I will do it to show the customer is to Ping from the network I want to encrypt and ping from the non-encypted network to proved the encryption working on the router end.
Thanks in advanced.
12-04-2007 07:52 PM
what type of devices are you using? i've seen ping reponse times increase by 10-20ms for IPSEC encrypted traffic:
non IPSEC encrypted traffic (just GRE):
Sending 5, 100-byte ICMP Echos to 10.1.200.100, timeout is 2 seconds:
Packet sent with a source address of 10.210.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/36 ms
IPSEC encrypted ping:
Sending 5, 100-byte ICMP Echos to 10.23.1.4, timeout is 2 seconds:
Packet sent with a source address of 10.21.1.200
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/88 ms
Average went up by 20ms. Source device was the same in both cases, and actually the destination device was an extra hop for the NON-IPSEC encrypted traffic.
-brad
(please rate the post if this helps!)
12-04-2007 08:23 PM
The command you are looking for is show crypto ipsec sa
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_s1h.htm#wp1209783
The counter will be displayed along with the interesting traffic.
12-04-2007 09:08 PM
Okie,Thanks guys..
I will come back to the forum again with my findings to let you all know about it.
Thanks again.
12-04-2007 09:16 PM
You're welcome. Show the customer the ping response differences. It makes a good impression. :)
G/L
-brad
(please rate the post if I helped ya!)
12-04-2007 10:17 PM
Brad,
Since you brought up this..well,
can I know what is the parameter below means for the echo/icmp ?
round-trip min/avg/max = 16/20/36 ms
And if customers ask why does "avg" differs if it is ipsec traffic, how will that the answer be?
Thanks!
12-04-2007 10:30 PM
avg = average response time in milliseconds. the average response time for the traffic through the IPSEC tunnel is going to be higher than the traffic not going through the tunnel. it's a great way to demonstrate which traffic is going through the ipsec tunnel.
-brad
(please rate the post if this helps!)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: