Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
0
Helpful
6
Replies

IPSEC: How can i verify encrypted and non-encrypted traffic?

cindylee27
Level 1
Level 1

‎12-04-2007 07:30 PM - edited ‎03-03-2019 07:47 PM

Hi Experts,

Once done with the ipsec configuration, I would like to test and verify the traffic by using debug/show commands..

Any debug/show commands that can help me to differentiate non-encrypted and encrypted traffics?

OR

how can I observed which one is encrpted and non-encypted?

What I will do it to show the customer is to Ping from the network I want to encrypt and ping from the non-encypted network to proved the encryption working on the router end.

Thanks in advanced.

Labels:
0 Helpful
6 Replies 6

ccbootcamp
Level 7
Level 7

‎12-04-2007 07:52 PM

what type of devices are you using? i've seen ping reponse times increase by 10-20ms for IPSEC encrypted traffic:

non IPSEC encrypted traffic (just GRE):

Sending 5, 100-byte ICMP Echos to 10.1.200.100, timeout is 2 seconds:

Packet sent with a source address of 10.210.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/20/36 ms

IPSEC encrypted ping:

Sending 5, 100-byte ICMP Echos to 10.23.1.4, timeout is 2 seconds:

Packet sent with a source address of 10.21.1.200

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/41/88 ms

Average went up by 20ms. Source device was the same in both cases, and actually the destination device was an extra hop for the NON-IPSEC encrypted traffic.

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

0 Helpful

Edison Ortiz
Hall of Fame
Hall of Fame

‎12-04-2007 08:23 PM

The command you are looking for is show crypto ipsec sa

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cr/hsec_r/sec_s1h.htm#wp1209783

The counter will be displayed along with the interesting traffic.

0 Helpful

cindylee27
Level 1
Level 1
In response to Edison Ortiz

‎12-04-2007 09:08 PM

Okie,Thanks guys..

I will come back to the forum again with my findings to let you all know about it.

Thanks again.

0 Helpful

ccbootcamp
Level 7
Level 7
In response to cindylee27

‎12-04-2007 09:16 PM

You're welcome. Show the customer the ping response differences. It makes a good impression. :)

G/L

-brad

http://www.ccbootcamp.com

(please rate the post if I helped ya!)

0 Helpful

cindylee27
Level 1
Level 1
In response to ccbootcamp

‎12-04-2007 10:17 PM

Brad,

Since you brought up this..well,

can I know what is the parameter below means for the echo/icmp ?

round-trip min/avg/max = 16/20/36 ms

And if customers ask why does "avg" differs if it is ipsec traffic, how will that the answer be?

Thanks!

0 Helpful

ccbootcamp
Level 7
Level 7
In response to cindylee27

‎12-04-2007 10:30 PM

avg = average response time in milliseconds. the average response time for the traffic through the IPSEC tunnel is going to be higher than the traffic not going through the tunnel. it's a great way to demonstrate which traffic is going through the ipsec tunnel.

-brad

www.ccbootcamp.com

(please rate the post if this helps!)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card