I have set up this IPSEC config and I am a little confused as the packet that is sent, only has an IPSEC made header and I dont see the original IP header even though I am running IPSEC in transport mode.
I am using basic ethereal to capture the packet.
Is this correct? Accourding to the "deploying IPSEC reference guide" you should see the original IP header and then the IPSEC header?
Please can someone confirm this. Packet decode at the bottom of this post.
crypto isakmp policy 1
crypto isakmp key kenny address 22.214.171.124
crypto ipsec transform-set KEN esp-des esp-md5-hmac
crypto ipsec transform-set KEN1 ah-md5-hmac !transform set not in use
then we see the ESP packet. Some things within the original IP header will be changed, like the Protocol (will be made ESP), and the checksum obviously, but the source and dest IP address should remain intact.
I presume from this that you say, pinged from 126.96.36.199 to 188.8.131.52, so the ICMP portion of the packet is now encrypted, but the original IP header is still there with its original src/dest, just the protocol has changed from ICMP to ESP.
Try doing tunnel mode and capturing one of those packets and you should be able to see the difference.
I think the main issue you're having is that you're pinging from and to the IPSec peers, so you're seeing 184.108.40.206 and 220.127.116.11 everywhere, but this is both your IPSec endpoints AND your data endpoints, so it looks like things aren't working right. If you had other ethernet ports on these routers and pinged from hosts behind these routers, you'd see the original IP addresses in the IP header then, and they'd be different to the IPSec peers so it'd be more obvious what was happening.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...