Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3822
Views
0
Helpful
2
Replies

What command to see the actual encrypted and decrypted packets in a GRE Tunnel Interface

bringuye
Level 1
Level 1

‎10-09-2015 04:47 PM

Hi, 

I'm tunning on ipsec ikev2 in a gre tunnel interface. how am i going to really figure all the packets came through the tunnel were being encypted? for example, i'm sending 100 packets (lets say they're all 128 bytes packets).

I'm seeing the destination physical interface receiving 100 packets as it supposes to but how do i know these packets were being encrypted and decrypted when it gets to the other side of the tunnel? is the "show int tunnel" command with number of X packets sufficient enough to say those were the packets? or if the "show crypto ipsec sa" would really tell with the about its via the #pkts encaps and #pks encrypt #pkts digest

Thank you

sample output below

asr1006-4#show crypto ipsec sa             

interface: Tunnel66
    Crypto map tag: Tunnel66-head-0, local addr 2001:10:199:x::4

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (2001:10:199:x::4/128/47/0)
   remote ident (addr/mask/prot/port): (2001:10:199:x::3/128/47/0)
   current_peer 2001:10:199:x::3 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 196710042, #pkts encrypt: 196710042, #pkts digest: 196710042
    #pkts decaps: 124612053, #pkts decrypt: 124612053, #pkts verify: 124612053
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2001:10:199:x::4,
     remote crypto endpt.: 2001:10:199:x::3
     plaintext mtu 9142, path mtu 9192, ipv6 mtu 9192, ipv6 mtu idb TenGigabitEthernet2/0/1
     current outbound spi: 0xC1E814FE(3253212414)
     PFS (Y/N): N, DH group: none

 

interface Tunnel66
 description --- 
 bandwidth 10000000
 ip address 10.x.x.x 255.255.255.252
 ip pim sparse-mode
 ipv6 address 2001:10:199:x::81/127
 ipv6 enable
 ipv6 eigrp 90
 qos pre-classify
 tunnel source TenGig2/0/1
 tunnel mode gre ipv6
 tunnel destination 2001:10:199:x::4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile default 

 

Labels:
0 Helpful
2 Replies 2

johnlloyd_13
Level 9
Level 9

‎10-09-2015 05:09 PM

hi,

GRE alone don't provide network traffic security, so to actually see packets encrypted/decrypted you use the show crypto ipsec sa on both VPN peers.

 

i'm not sure if ASR has this command (ASA does), you can use the clear crypto ipsec sa counters to reset IPsec traffic and see the counters increment during troubleshooting.

 

0 Helpful

bringuye
Level 1
Level 1
In response to johnlloyd_13

‎10-10-2015 11:43 AM

Thank you John. Agree and the "show crypto ipsec sa" seems to be the most likely useful here.

btw, just wonder i also raised another thread here and hope you could help as well :-)

https://supportforums.cisco.com/discussion/12626676/asr1006-ipseck-ikev2-esp100-performance-verification-commands

 

0 Helpful
Customers Also Viewed These Support Documents