cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1402
Views
0
Helpful
4
Replies

Verify GRE of IPsec

Hello all, 

I will soon be deploying a point to multi-point GRE over IPSec tunnel. It is not a dynamic multi-point setup. I have setup GRE over IPsec tunnels before using the protection profile feature on the tunnel interface. This time I plan to use a crypto map to secure the tunnels. My question is how can I very that the GRE packets are being encrypted between the two routers? Currently I have the crypto map setup and one spoke router connected to the hub. I can do a show crypto session or show crypto isakmp sa and everything shows up and active, but that does not necessarily mean that the GRE packets are being encrypted. I setup a mock version of the real thing in Packet Tracer that I can use to provide configurations if necessary.

I have searched around and seen suggestion about using Wireshark to capture the packets and see if they are encrypted but I am not sure of an elegant way to do that. I have also seen suggestions on using an access list to log the traffic. I gave it a try but I am not very familiar with this method and was not able to get the results I was looking for. 

Any suggestions are appreciated! 

4 Replies 4

Rahul Govindan
VIP Alumni
VIP Alumni

Since it is a GRE over IPsec tunnel using crypto map, your crypto ACL is probably GRE between tunnel source and destination. You should be able to use the "show crypto ipsec sa detailed" output to see number of packets encrypted and decrypted at both ends. You can capture packets in the outbound direction on the crypto interface, but that will be encrypted and won't give you information about what is inside the encrypted data, but you can still validate if packets are being encrypted or not.

I did see that as an option as well. I am using this as a backup connection should our Metro Ethernet go down so currently there is no traffic be sent over the tunnel aside from the occasional EIGRP update and a few other various packets. When I run the "show crypt ipsec sa detail" I do see the encrypted and decrypted packet account but it is just steadily rising so it is difficult to tell for sure.

If you see encrypts and decrypts that means GRE is flowing through it. All the traffic sourced from the tunnel interface should be encapsulated in GRE, including routing protocols. Are you looking for what specific traffic is going through the crypto tunnel?

Ideally I would like to run a packet capture on the outside interface and only see IPsec packets leaving the interface. 

I am fairly confident that everything is working as it should  because I created the tunnel interfaces first and they connected then when I applied the crypto map on the first router the tunnel dropped. Then when I added the crypto map on the other router the tunnel came back up. I was mostly just looking for the "piece of mind" factor to verify concretely that everything is working as intended.