10-09-2015 04:47 PM
Hi,
I'm tunning on ipsec ikev2 in a gre tunnel interface. how am i going to really figure all the packets came through the tunnel were being encypted? for example, i'm sending 100 packets (lets say they're all 128 bytes packets).
I'm seeing the destination physical interface receiving 100 packets as it supposes to but how do i know these packets were being encrypted and decrypted when it gets to the other side of the tunnel? is the "show int tunnel" command with number of X packets sufficient enough to say those were the packets? or if the "show crypto ipsec sa" would really tell with the about its via the #pkts encaps and #pks encrypt #pkts digest
Thank you
sample output below
asr1006-4#show crypto ipsec sa
interface: Tunnel66
Crypto map tag: Tunnel66-head-0, local addr 2001:10:199:x::4
protected vrf: (none)
local ident (addr/mask/prot/port): (2001:10:199:x::4/128/47/0)
remote ident (addr/mask/prot/port): (2001:10:199:x::3/128/47/0)
current_peer 2001:10:199:x::3 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 196710042, #pkts encrypt: 196710042, #pkts digest: 196710042
#pkts decaps: 124612053, #pkts decrypt: 124612053, #pkts verify: 124612053
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 2001:10:199:x::4,
remote crypto endpt.: 2001:10:199:x::3
plaintext mtu 9142, path mtu 9192, ipv6 mtu 9192, ipv6 mtu idb TenGigabitEthernet2/0/1
current outbound spi: 0xC1E814FE(3253212414)
PFS (Y/N): N, DH group: none
interface Tunnel66
description ---
bandwidth 10000000
ip address 10.x.x.x 255.255.255.252
ip pim sparse-mode
ipv6 address 2001:10:199:x::81/127
ipv6 enable
ipv6 eigrp 90
qos pre-classify
tunnel source TenGig2/0/1
tunnel mode gre ipv6
tunnel destination 2001:10:199:x::4
tunnel path-mtu-discovery
tunnel protection ipsec profile default
10-09-2015 05:09 PM
hi,
GRE alone don't provide network traffic security, so to actually see packets encrypted/decrypted you use the show crypto ipsec sa on both VPN peers.
i'm not sure if ASR has this command (ASA does), you can use the clear crypto ipsec sa counters to reset IPsec traffic and see the counters increment during troubleshooting.
10-10-2015 11:43 AM
Thank you John. Agree and the "show crypto ipsec sa" seems to be the most likely useful here.
btw, just wonder i also raised another thread here and hope you could help as well :-)
https://supportforums.cisco.com/discussion/12626676/asr1006-ipseck-ikev2-esp100-performance-verification-commands
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide