02-18-2017 10:49 AM - edited 02-21-2020 09:10 PM
Hello all,
I will soon be deploying a point to multi-point GRE over IPSec tunnel. It is not a dynamic multi-point setup. I have setup GRE over IPsec tunnels before using the protection profile feature on the tunnel interface. This time I plan to use a crypto map to secure the tunnels. My question is how can I very that the GRE packets are being encrypted between the two routers? Currently I have the crypto map setup and one spoke router connected to the hub. I can do a show crypto session or show crypto isakmp sa and everything shows up and active, but that does not necessarily mean that the GRE packets are being encrypted. I setup a mock version of the real thing in Packet Tracer that I can use to provide configurations if necessary.
I have searched around and seen suggestion about using Wireshark to capture the packets and see if they are encrypted but I am not sure of an elegant way to do that. I have also seen suggestions on using an access list to log the traffic. I gave it a try but I am not very familiar with this method and was not able to get the results I was looking for.
Any suggestions are appreciated!
02-18-2017 11:33 AM
Since it is a GRE over IPsec tunnel using crypto map, your crypto ACL is probably GRE between tunnel source and destination. You should be able to use the "show crypto ipsec sa detailed" output to see number of packets encrypted and decrypted at both ends. You can capture packets in the outbound direction on the crypto interface, but that will be encrypted and won't give you information about what is inside the encrypted data, but you can still validate if packets are being encrypted or not.
02-18-2017 02:43 PM
I did see that as an option as well. I am using this as a backup connection should our Metro Ethernet go down so currently there is no traffic be sent over the tunnel aside from the occasional EIGRP update and a few other various packets. When I run the "show crypt ipsec sa detail" I do see the encrypted and decrypted packet account but it is just steadily rising so it is difficult to tell for sure.
02-18-2017 03:26 PM
If you see encrypts and decrypts that means GRE is flowing through it. All the traffic sourced from the tunnel interface should be encapsulated in GRE, including routing protocols. Are you looking for what specific traffic is going through the crypto tunnel?
02-18-2017 04:43 PM
Ideally I would like to run a packet capture on the outside interface and only see IPsec packets leaving the interface.
I am fairly confident that everything is working as it should because I created the tunnel interfaces first and they connected then when I applied the crypto map on the first router the tunnel dropped. Then when I added the crypto map on the other router the tunnel came back up. I was mostly just looking for the "piece of mind" factor to verify concretely that everything is working as intended.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide