Our customer believes the only way to verify data is being encrypted properly is to tap the fiber connections between our routers (encryptors). They are afraid that data might traverse the network that hasnt been encrypted.
I contend that using cisco show commands such as crypto session, crypto isakmp sa, and crypto ipsec sa validate VPN is setup correctly and providing data encryption.
Does anyone else have this scenario and any suggestions would be greatly appreciated on validating encryption.
once you know the packets are getting encrypted on the device you can run a capture on the outside interface of the VPN terminating decice and use wire shark to open the capture to do further analysis for encryption on the captured paccket.
refer the following doc to capture the packcet on FW