Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8885
Views
7
Helpful
18
Replies

How to tell if GRE traffic is encrypted or not?

Go to solution
mahesh18
Level 6
Level 6

‎01-02-2013 10:45 AM

                   Hi Everyone

Site A 

Device A  has VPN Tunnel to

Site B  Device B  over Wan link.

Note Here Device A and B are end device and connect to ISP and do the encryption

Site A  Device X which is internal device has simple GRE tunnel to Site Bs  internal device.

My question is how can i find that this GRE tunnel gets encrypted at Device A or not?

Currently encryption is only at Device A and B

Thanks

Mahesh

Labels:
0 Helpful
8 Accepted Solutions

Accepted Solutions

Go to solution
Edwin Summers
Level 3
Level 3

‎01-02-2013 10:55 AM

Have you utilized some of the "show" and "debug" commands to verify that the IPSec security associations have been created and are in-place?  Some of the "debug" commands can show traffic hitting the crypto map.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#ipsec_sa

What model routers are Device A and B?  You may be able to use something like RITE to mirror the traffic exiting the interface to a sniffer for a definitive "Doubting Thomas" proof. 

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

Ed

View solution in original post

0 Helpful

Go to solution
AdamBlackNNT
Level 1
Level 1

‎01-02-2013 10:57 AM

There are a few ways. 

One is to simply use debug and show output on the encrypting devices and see if you see the encryption occuring.  For example, show crypto ipsec sa can give you a lot of information if you know what your traffic patterns are.

Another way would be to use wireshark to capture the traffic and simply identify whether it is encrypted or not.

Yet another way would be to set up an access-list to log GRE packets.  If the GRE packets should be getting encrypted by IPSec you should not see any GRE packets leaving or entering your WAN link; they should all be IPSec.  If that is the case then your access-list which permits (but logs) GRE activity should not increment.

View solution in original post

Go to solution
ALIAOF_
Level 6
Level 6

‎01-02-2013 11:09 AM

A simple GRE tunnel is not really encrypted.  If you want to encrypt it you can apply IPSec encryption to it and it requires couple of slight adjustments.  It is called IPSec over GRE.  Here is a good link:

http://szandi.wordpress.com/2009/07/16/ipsec-and-gre/

View solution in original post

0 Helpful

Go to solution
AdamBlackNNT
Level 1
Level 1
In response to AdamBlackNNT

‎01-02-2013 11:38 AM

If you run "show crypto ipsec sa" on the box that performs the IPSec encryption you can see statistics on how much data it has encrypted and/or decrypted with a particular peer. If you know your traffic patterns you may be able to watch the counters and verify whether they are incrementing as much as you would expect if they were encrypting all of the GRE packets or not.  For many deployments this is not an option, but where it is it's very fast.

Using access-lists that permit (but log) traffic may give you the most definitive answer.  With logging enabled on ACL's you could verify not only IF GRE traffic was crossing the link but what peers were not hitting your IPSec encrypting device properly.

View solution in original post

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to mahesh18

‎01-02-2013 11:51 AM

What do you mean currently there is only encryption at Device A and B, but then you mention there there is no encryption between Site A and B's internal devices (and you said the internal devices are the Cisco 7200 routers doing the GRE tunnel). 

Basically if you have a GRE tunnel from Site A (Device A - Cisco 7200) to Site B (Device B - Cisco 7200) it is not encrypted.  GRE is not an encryption protocol it is encapsulation only.  Now if you want to see the data inside the GRE tunnel you will have to use wireshark.  Span the port or put a tap whatever you prefer and then do a wireshark capture.

View solution in original post

0 Helpful

Go to solution
Edwin Summers
Level 3
Level 3
In response to mahesh18

‎01-02-2013 12:58 PM

Since you're passing GRE-encapsulated traffic to the IPSec tunnel endpoints, you need to ensure that the GRE tunnel endpoint IP addresses are the ones being marked as interesting by your crypto map.  So the IPSec SA should show the GRE tunnel endpoints.  Those are the IP addresses that either IPsec device will see, as the traffic is already encapsulated and apparently on it's way to the other GRE tunnel endpoint.

Other than that I'm not sure I understand your question, as I though Adam Black's answer would provide enough detail to go on.  In the end, the most definitive "proof for the Project Manager" solution would be to either use ACL logging or sniffing, as was suggested earlier.

Best,

Ed

View solution in original post

0 Helpful

Go to solution
AdamBlackNNT
Level 1
Level 1
In response to ALIAOF_

‎01-04-2013 06:29 AM

Mohammad is right - use a SPAN port and connect a sniffer.

In regards to the output of show crypto ipsec sa, you will only see traffic sourced by and destined to your IPSec endpoints, not individual traffic that is encrypted.  As I mentioned above, that output would be only useful if you have a window during which you know that you should be expecting enough traffic from those endpoints that you could watch the counters on the IPSec connection and know if they were incrementing or not.

View solution in original post

0 Helpful
18 Replies 18

Go to solution
Edwin Summers
Level 3
Level 3

‎01-02-2013 10:55 AM

Have you utilized some of the "show" and "debug" commands to verify that the IPSec security associations have been created and are in-place?  Some of the "debug" commands can show traffic hitting the crypto map.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#ipsec_sa

What model routers are Device A and B?  You may be able to use something like RITE to mirror the traffic exiting the interface to a sniffer for a definitive "Doubting Thomas" proof. 

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/ht_rawip.html

Ed

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Edwin Summers

‎01-02-2013 11:01 AM

Hi Edwin,

Thanks for reply back.

Traffic is encrypted and working fine between End devcies A  and B they are 7200 Routers.

My only question is to know if internal device like 4500  at site A   which has only GRE tunnel to Site B is encrypted or not?

On 7200 devices can i check for subnets or GRE source and destination IP  to confirm if it gets encrypted  or not?

Thanks

Mahesh

0 Helpful

Go to solution
AdamBlackNNT
Level 1
Level 1

‎01-02-2013 10:57 AM

There are a few ways. 

One is to simply use debug and show output on the encrypting devices and see if you see the encryption occuring.  For example, show crypto ipsec sa can give you a lot of information if you know what your traffic patterns are.

Another way would be to use wireshark to capture the traffic and simply identify whether it is encrypted or not.

Yet another way would be to set up an access-list to log GRE packets.  If the GRE packets should be getting encrypted by IPSec you should not see any GRE packets leaving or entering your WAN link; they should all be IPSec.  If that is the case then your access-list which permits (but logs) GRE activity should not increment.

Go to solution
mahesh18
Level 6
Level 6
In response to AdamBlackNNT

‎01-02-2013 11:09 AM

Hi Adam,

Thanks for reply.

When you say  --show output on the encrypting devices and see if you see the encryption occuring.  For example, show crypto ipsec sa can give you a lot of information if you know what your traffic patterns are.

If i run  sh crypto ipsec sa on  Device A  should i  look for GRE tunnels interface  IP  or its source and destination subnet IP to

confirm if  GRE traffic is encrypted or not?

Thanks

MAhesh

0 Helpful

Go to solution
Edwin Summers
Level 3
Level 3
In response to mahesh18

‎01-02-2013 12:58 PM

Since you're passing GRE-encapsulated traffic to the IPSec tunnel endpoints, you need to ensure that the GRE tunnel endpoint IP addresses are the ones being marked as interesting by your crypto map.  So the IPSec SA should show the GRE tunnel endpoints.  Those are the IP addresses that either IPsec device will see, as the traffic is already encapsulated and apparently on it's way to the other GRE tunnel endpoint.

Other than that I'm not sure I understand your question, as I though Adam Black's answer would provide enough detail to go on.  In the end, the most definitive "proof for the Project Manager" solution would be to either use ACL logging or sniffing, as was suggested earlier.

Best,

Ed

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Edwin Summers

‎01-03-2013 07:53 AM

Hi Edwin,

IPSEC Vpn on 7200 has does not show GRE tunnel endpoints.

7200 device on Site A connects to ISP then to Site B  7200.

4500 are devices internal to the network on side A and B.

4500 has GRE tunnel to Site B .

I checked on 7200 sh crypto ipsec sa it does not show tunnel interface or source and destinations  IP address.

Can you tell me which debug command can be used on 7200  to see if GRE subnet IP is encrypted or not as it passes through 7200

thanks

mahesh

Go to solution
AdamBlackNNT
Level 1
Level 1
In response to AdamBlackNNT

‎01-02-2013 11:38 AM

If you run "show crypto ipsec sa" on the box that performs the IPSec encryption you can see statistics on how much data it has encrypted and/or decrypted with a particular peer. If you know your traffic patterns you may be able to watch the counters and verify whether they are incrementing as much as you would expect if they were encrypting all of the GRE packets or not.  For many deployments this is not an option, but where it is it's very fast.

Using access-lists that permit (but log) traffic may give you the most definitive answer.  With logging enabled on ACL's you could verify not only IF GRE traffic was crossing the link but what peers were not hitting your IPSec encrypting device properly.

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6

‎01-02-2013 11:09 AM

A simple GRE tunnel is not really encrypted.  If you want to encrypt it you can apply IPSec encryption to it and it requires couple of slight adjustments.  It is called IPSec over GRE.  Here is a good link:

http://szandi.wordpress.com/2009/07/16/ipsec-and-gre/

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to ALIAOF_

‎01-02-2013 11:12 AM

Hi Ali,

I know GRE does not provide encryption.

If you read my question carefully please.

Thanks for reply.

MAhesh

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to mahesh18

‎01-02-2013 11:51 AM

What do you mean currently there is only encryption at Device A and B, but then you mention there there is no encryption between Site A and B's internal devices (and you said the internal devices are the Cisco 7200 routers doing the GRE tunnel). 

Basically if you have a GRE tunnel from Site A (Device A - Cisco 7200) to Site B (Device B - Cisco 7200) it is not encrypted.  GRE is not an encryption protocol it is encapsulation only.  Now if you want to see the data inside the GRE tunnel you will have to use wireshark.  Span the port or put a tap whatever you prefer and then do a wireshark capture.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to ALIAOF_

‎01-02-2013 12:39 PM

Hi Ali,

Crytomap is  running on Edge devices in Site A and B.

They have VPN tunnel over the WAN on 7200 devices

Site A and B  also have internal devices .

One of such device at Site A  4500 has only GRE tunnel to Site B  internal device which is also 4500.

Note 7200 at each site has connection to ISP .

Hope make sense

Thanks

MAhesh

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to mahesh18

‎01-02-2013 01:00 PM

Ok so in addition to the site to site IPSec VPN using Cisco 7200's you also have a GRE tunnel between two Cisco 4500's?

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to ALIAOF_

‎01-02-2013 01:21 PM

Yes you are right.

I checked  on 7200 for sh crypto ipsec sa  but it does not have any  peer  or subnet which corresponds to GRE tunnel  interface or source and destination IP.

Seems  only  option to use for now is debug command that i can  only run on maintenance window.

Do you know which debug command i can run on 7200 to find if GRE tunnel traffic is encrypted or not?

Thanks

Mahesh

0 Helpful

Go to solution
ALIAOF_
Level 6
Level 6
In response to mahesh18

‎01-02-2013 01:22 PM

Why don't you just do a packet capture on the 4500?.  I'm assuming the GRE tunnel is setup for multicast traffic or something?

0 Helpful
Customers Also Viewed These Support Documents