Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7591
Views
0
Helpful
3
Replies

How to verify encryption (isakmp and ipsec) on VPN

hufa97
Level 1
Level 1

‎04-29-2013 10:21 AM - edited ‎02-21-2020 06:51 PM

Our customer believes the only way to verify data is being encrypted properly is to tap the fiber connections between our routers (encryptors). They are afraid that data might traverse the network that hasnt been encrypted.

I contend that using cisco show commands such as crypto session, crypto isakmp sa, and crypto ipsec sa validate VPN is setup correctly and providing data encryption.

Does anyone else have this scenario and any suggestions would be greatly appreciated on validating encryption.

Thank you.

Antonio

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-29-2013 11:36 AM

I agree the show commands provide a reasonable level of assurance.

For further demonstration one could run a debug to  show the detailed step by step establishment of a tunnel.

One other method would be to span an output side port (assuming you have a switch in path) and show the customer a Wireshark (or other protocol analyzer) decode that includes the encrypted payload.

0 Helpful

Alex Sykes
Level 1
Level 1

‎04-30-2013 08:24 AM

Hi Antonio,

One thing that I've learnt recently that I find a very useful addition to the ones you've mentioned already is:

Packet-tracer input tcp detailed

This will show the traffic being allowed through the VPN, if indeed it is.

Regards

Alex

0 Helpful

rpadwal
Cisco Employee
Cisco Employee
In response to Alex Sykes

‎05-01-2013 03:36 AM

Hi Antonio,

you can use the following sh commands on asa to check the isakmp and ipsec details and encrypted networks

sh cry isa sa det

sh cry ipsec sa det

sh vpn-sessiondb det l2l

sh cry ipsec sa det peer

please refer the following link for router and asa commands

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

once you know the packets are getting encrypted on the device you can run a capture on the outside interface of the VPN  terminating decice and use wire shark to open the capture to do further analysis for encryption on the captured paccket.

refer the following doc to capture the packcet on FW

https://supportforums.cisco.com/docs/DOC-17345

Thanks and Regards,

        ROHAN 

Thanks and Regards, ROHAN :)
0 Helpful
Customers Also Viewed These Support Documents