MHM Cisco World,

No...how to detect whether certain type of traffic (VoIP, Video, SSL, SSH, FTP, Telnet, etc.) exists inside the VPN tunnel.

Thanks

There no way' except using AH not ESP.

AH keep original IP header.

This link describes the methodology. https://ieeexplore.ieee.org/document/9395707

http://www.bscottrandall.com/4.3.4

Check this workaround, you can config multi isakmp profile and assign QoS group for each profile. 

No....I want to see what types of traffic being sent inside the VPN tunnel. Please ignore about QoS for this topic.

This is the scenario:

1. I am providing link to dozen of users. 

2. All I see are IPSec IKEv2 packets (ISAKMP and ESP).

3. I want to know what are my users doing: Voip, Video, Streaming, SSH, SSL, Telent, etc.

Thanks

Sorry from my side I don't know any way. 

Ipsec vpn use to protect user data. 

If anyone can capture and open packet I don't see how this secure!!

For new FW the FW can decrypt ssl to see user file and filter it. 

This way FW work as proxy between users and server. 

For Ipsec since user use ESP not AH then I think you can not see inside packets. 

May be other answer you. 

Thank you for replying though. This is a difficult topic. The IEEE whitepapers are great sources, but implementing the method using in-house coding is difficult and time consuming.

@onibala the Firewall (assuming you are using an FTD NGFW) will know what type of traffic is ingress/egressing the firewall pre-encryption and post-decryption in cleartext, you should be able to run a report to determine the information you require. You could also enable netflow on the inside interface of the Firewall, this will also provide information of the cleartext traffic sent/received over the VPN.

Rob,

I am agnostic what my users are using for their VPN access: Remote SSL VPN or Site-to-Site.

The traffic is being captured from network TAP's installed in the backbone circuits.

Thanks