Helpful ReplyHot!Check If Traffic Is Sent Into IPsec Tunnel

Author
cust0m
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/23 01:58:31
  • Status: offline
2020/10/06 04:25:00 (permalink) 6.0
0

Check If Traffic Is Sent Into IPsec Tunnel

Hi guys,
 
I would be interested in what is the best/most reliable way to ensure that traffic is sent into an IPsec tunnel.
I.e. if I can see outgoing Traffic within the IPsec Monitor and I also see packets when starting a packet caputre on the VPN tunnel - does that confirm that the traffic is sent trough the tunnel?
 
Is there any (better) option to confirm this?
 
Best regards
cust0m
#1
sw2090
Expert Member
  • Total Posts : 824
  • Scores: 60
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/06 07:41:36 (permalink)
0
do a flow debug to monitor traffic on the FGT:
 
diag debug ena
diag debug flow filter clear
diag debug flow filter dst <destination ip>
diag debug flow filter src <source ip>
diag debug flow trace start <numberofpackets>
 
then create some traffic that should flow from <source ip> to <destination ip> over the vpn to see what happens to your packets.
 
#2
cust0m
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/23 01:58:31
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/08 00:22:39 (permalink)
0
Hi,

thanks for the suggestion!
For version 6.0.8, I had to change "dst" to "daddr" and "src" to "saddr" in order to not get a syntax error.
The other commands worked.

Within the log output, I could see the message "enter IPsec interface-<name>".

So from my point of view that confirms that the traffic is sent trough the tunnel!?


Best Regards
cust0m
#3
sw2090
Expert Member
  • Total Posts : 824
  • Scores: 60
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/08 04:06:38 (permalink) ☄ Helpfulby cust0m 2020/10/08 06:55:49
0
yes its daddr and saddr of course. Sorry for that one ;>
 
yes if you see "enter IPsec interface-..." in the output of flow debug that  means the traffic has entered the tunnel and you would have to look at the opposite end of the tunnel where it goes to when it leaves the tunnel again if needed :)
 
#4
cust0m
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/23 01:58:31
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/08 06:59:13 (permalink)
0
Thank you very much for your help - we will look at the opposite end of the tunnel.
That means trying to get the tunnel working together with our customer :)
#5
emnoc
Expert Member
  • Total Posts : 5860
  • Scores: 387
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/08 07:47:20 (permalink) ☄ Helpfulby cust0m 2020/10/09 01:39:50
0
You can also diag sniffer packet <phase1 tunnel name> and see traffic in the tunnel also. Might be easier in some case than debug flow
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#6
cust0m
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/23 01:58:31
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/09 01:34:42 (permalink)
0
Thanks, looks like a very simple solution and works great :)

Let's say I'm trying to ping from 192.168.1.1 to 10.0.0.1 (no NAT involved) and I start the sniffer on the IPsec interface. 

Is it guaranteed that the traffic is sent over the tunnel, If I see the ICMP request from 192.168.1.1 to 10.0.0.1 within the output of the sniffer?
 
Best Regards
cust0m
#7
emnoc
Expert Member
  • Total Posts : 5860
  • Scores: 387
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/09 02:58:18 (permalink)
0
Will if you selected the ipsec-tunnel interface than yes that will ensure it was entering the tunnel. If you selected the far-end device ( assuming it's a fgt ) it would ensure it was received in it's tunnel interface.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#8
cust0m
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/09/23 01:58:31
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/09 03:20:53 (permalink)
0
OK thanks, I see.

In that case it was Fortigate to another vendor, so I think checking if the traffic is sent over the tunnel might be the most of what I can do.
 
Best Regards
cust0m
#9
emnoc
Expert Member
  • Total Posts : 5860
  • Scores: 387
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Check If Traffic Is Sent Into IPsec Tunnel 2020/10/09 08:59:48 (permalink)
0
Also "diag vpn tunnel list" will show you enc/dec pkts and bytes that alos can confirm the tunnel is up and accepting traffic
 
Just food for thought
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#10
Jump to:
© 2020 APG vNext Commercial Version 5.5