topic Re: Not seeing ESP or IPSEC packets with Packet-Capturing in Network Security

Not seeing ESP or IPSEC packets with Packet-Capturing

CiscoBrownBelt — Fri, 21 Feb 2020 17:10:08 GMT

When conducting on ASA a Packet-Capture filtering the 1 and only subnet of interesting traffic to use IPSEC tunnel as source to ANY, I am not seeing any ESP or IPSEC traffic on the Egress interface when viewing the PCAP in Wireshark.

show crypto ipsec and show ikev2 show the sa and packets being crypt and decrypt.

Any ideas?

Re: Not seeing ESP or IPSEC packets with Packet-Capturing

Jon Major — Fri, 24 May 2019 18:55:11 GMT

@CiscoBrownBelt wrote:
When conducting on ASA a Packet-Capture filtering the 1 and only subnet of interesting traffic to use IPSEC tunnel as source to ANY, I am not seeing any ESP or IPSEC traffic on the Egress interface when viewing the PCAP in Wireshark.
show crypto ipsec and show ikev2 show the sa and packets being crypt and decrypt.
Any ideas?

Are you filtering the capture based on interesting traffic (i.e. as defined in the ACL tied to your crypto map) or are you filter the capture based on the tunnel endpoints (i.e. the IP in the set peer field of the crypto map, and/or your firewall's IP)?

Re: Not seeing ESP or IPSEC packets with Packet-Capturing

CiscoBrownBelt — Tue, 28 May 2019 17:16:10 GMT

Filtering based on interesting traffic.

Re: Not seeing ESP or IPSEC packets with Packet-Capturing

Rob Ingram — Tue, 28 May 2019 17:57:53 GMT

Hi,
The interesting traffic will be encapsulated inside the ESP packets, these will be between the VPN peer IP addresses - you will never see the interesting traffic network on egress.

HTH

Re: Not seeing ESP or IPSEC packets with Packet-Capturing

CiscoBrownBelt — Tue, 28 May 2019 18:12:35 GMT

Awesome thanks!
So you saying I will not see any ESP packets at all on the Egress interface only on the Ingress correct?

Re: Not seeing ESP or IPSEC packets with Packet-Capturing

Rob Ingram — Tue, 28 May 2019 18:44:43 GMT

You will see ESP packets on the egress, but between the VPN peer IP addresses (the external/outside interface of the router/firewall) only - the interesting traffic IP addresses will be encapsulated inside the ESP packets, the interesting traffic IP addresses themselves will not be visible on egress.

HTH

Re: Not seeing ESP or IPSEC packets with Packet-Capturing

Jon Major — Tue, 28 May 2019 19:03:15 GMT

@Rob Ingram wrote:
You will see ESP packets on the egress, but between the VPN peer IP addresses (the external/outside interface of the router/firewall) only - the interesting traffic IP addresses will be encapsulated inside the ESP packets, the interesting traffic IP addresses themselves will not be visible on egress.

HTH

What he said :D. ESP is the outer encapsulation around the packets sent between devices in your interesting traffic. For example, if your two firewalls are OUTSIDE/208.1.1.1 and OUTSIDE/209.1.1.1 and your interesting traffic is 192.168.1.0/24 -> 192.168.2.0/24 and you're looking at a telnet between 192.168.1.10:2432 -> 192.168.2.20:23, IPsec (tunnel mode) is going to encapsulate the original IP header (Src: 192.168.1.10,,Dst:192.168.2.10) and add new ESP header that's 208.1.1.1 -> 209.1.1.1.

There are some caveats with the above, like IPsec transport mode, but that's a good rule of thumb to follow.