how to know Packet Loss and IPSec or GRE Over IPSec ?

UCrypto · ‎04-24-2018

Dear all,

Please kindly see and help me. we are running 6 x VPN Tunnel links (point to point ).This configuration is using for HUB router (HP Router).

I would like to know this config is IPSec or GRE over IPSec ? can get for performance issue if we carry vedio traffic over VPN tunnel. ?May i know this configuration will occur overhead ? I also confuse in MTU size 1560 for GRE tunnel. When i see the tunnel statics (dis ipsec sa) Tunnel MTU size display 1748 .i would like to know It is correct or will it occur fragmentation ? How can i see packet drop also ?

interface GigabitEthernet0/0/1
port link-mode route
ip address 10.1.10.1 255.255.255.0
ipsec apply policy test

interface Tunnel1 mode gre
mtu 1560
ip address 1.1.1.1 255.255.255.254
source 10.1.10.1
destination 10.1.10.2
keepalive 3 3

ip route-static 1.1.1.2 32 10.1.10.2

acl number 3200
rule 0 permit ip source 1.1.1.1 0 destination 1.1.1.2 0
rule 20 permit gre source 10.1.10.1 0 destination 10.1.10.2 0
#
ipsec policy test 1 isakmp
transform-set trans1
security acl 3200
remote-address 10.1.10.2
ike-profile 1
!
ike profile 1
certificate domain test1
local-identity address 10.1.10.1
match remote identity address 10.1.10.2 255.255.255.255
proposal 1

[R1]dis ipsec sa
Interface: GigabitEthernet0/0/1
-------------------------------

-----------------------------
IPsec policy: test
Sequence number: 1
Mode: isakmp
-----------------------------
Tunnel id: 1
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1487
Tunnel:
local address: 10.1.10.1
remote address: 10.1.10.2
Flow:
sour addr: 10.1.10.1/255.255.255.255 port: 0 protocol: gre
dest addr: 10.1.10.2/255.255.255.255 port: 0 protocol: gre

[Inbound ESP SAs]
SPI: 978341176 (0x3a504d38)
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1756945/3214
Max received sequence-number: 0
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active

[Outbound ESP SAs]
SPI: 908590297 (0x3627fcd9)
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 368564/3214
Max sent sequence-number: 1093318
UDP encapsulation used for NAT traversal: N
Status: Active

-----------------------------
IPsec policy: test
Sequence number: 2
Mode: isakmp
-----------------------------
Tunnel id: 2
Encapsulation mode: tunnel
Perfect forward secrecy:
Path MTU: 1487
Tunnel:
local address: 10.1.10.1
remote address: 10.1.10.3
Flow:
sour addr: 10.1.10.1/255.255.255.255 port: 0 protocol: gre
dest addr: 10.1.10.3/255.255.255.255 port: 0 protocol: gre

[Inbound ESP SAs]
SPI: 2191010093 (0x8298292d)
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1842848/3352
Max received sequence-number: 0
Anti-replay check enable: N
Anti-replay window size:
UDP encapsulation used for NAT traversal: N
Status: Active

[Outbound ESP SAs]
SPI: 630706269 (0x2597d05d)
Transform set: ESP-ENCRYPT-AES-CBC-256 ESP-AUTH-SHA1
SA duration (kilobytes/sec): 1843200/3600
SA remaining duration (kilobytes/sec): 1314060/3352
Max sent sequence-number: 716758
UDP encapsulation used for NAT traversal: N
Status: Active