System Administration Guide: IP Services

ProcedureHow to Verify That Packets Are Protected With IPsec

To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:

Before You Begin

You must be superuser or have assumed an equivalent role to create the snoop output. You must have access to both systems to test the connection.

  1. On one system, such as partym, become superuser.

    % su -
    Password: Type root password
  2. From the partym system, prepare to snoop packets from a remote system.

    In a terminal window on partym, snoop the packets from the enigma system.

    # snoop -v enigma
    Using device /dev/hme (promiscuous mode)
  3. Send a packet from the remote system.

    In another terminal window, remotely log in to the enigma system. Provide your password. Then, become superuser and send a packet from the enigma system to the partym system. The packet should be captured by the snoop -v enigma command.

    % ssh enigma
    Password: Type your password
    % su -
    Password: Type root password
    # ping partym
  4. Examine the snoop output.

    On the partym system, you should see output that includes AH and ESP information after the initial IP header information. AH and ESP information that resembles the following shows that packets are being protected:

    IP:   Time to live = 64 seconds/hops
    IP:   Protocol = 51 (AH)
    IP:   Header checksum = 4e0e
    IP:   Source address =, enigma
    IP:   Destination address =, partym
    IP:   No options
    AH:  ----- Authentication Header -----
    AH:  Next header = 50 (ESP)
    AH:  AH length = 4 (24 bytes)
    AH:  <Reserved field = 0x0>
    AH:  SPI = 0xb3a8d714
    AH:  Replay = 52
    AH:  ICV = c653901433ef5a7d77c76eaa
    ESP:  ----- Encapsulating Security Payload -----
    ESP:  SPI = 0xd4f40a61
    ESP:  Replay = 52
    ESP:     ....ENCRYPTED DATA....
    ETHER:  ----- Ether Header -----