How to Verify That Packets are Protected (IPsec and IKE Administration Guide)

IPsec and IKE Administration Guide

How to Verify That Packets are Protected

To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:

AH: prefix – Indicates that AH is protecting the headers. You see AH: if you used auth_alg to protect the traffic.
ESP: prefix – Indicates that encrypted data is being sent. You see ESP: if you used encr_auth_alg or encr_alg to protect the traffic.

Note –

You must be root or an equivalent role to read the snoop output. You must have access to both systems to test the connection.

On one system, such as partym, become root.
% su Password: root-password #

In a terminal window, begin to snoop the packets from another system, such as enigma.
# snoop -v enigma Using device /dev/hme (promiscuous mode)

In another terminal window, remotely log on to the enigma system. Provide your password. Then become root, and send a packet from enigma to the partym system.
% rlogin enigma Password: your-password % su Password: root-password # ping partym

In the snoop window on partym, you should see output that looks something like the following:

IP:   Time to live = 64 seconds/hops
IP:   Protocol = 51 (AH)
IP:   Header checksum = 4e0e
IP:   Source address = 192.168.116.16, enigma
IP:   Destination address = 192.168.13.213, partym
IP:   No options
IP:
AH:  ----- Authentication Header -----
AH:
AH:  Next header = 50 (ESP)
AH:  AH length = 4 (24 bytes)
AH:  <Reserved field = 0x0>
AH:  SPI = 0xb3a8d714
AH:  Replay = 52
AH:  ICV = c653901433ef5a7d77c76eaa
AH:
ESP:  ----- Encapsulating Security Payload -----
ESP:
ESP:  SPI = 0xd4f40a61
ESP:  Replay = 52
ESP:     ....ENCRYPTED DATA....

ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 20 arrived at 9:44:36.59
ETHER:  Packet size = 98 bytes
ETHER:  Destination = 8:0:27:aa:11:11, Sun
ETHER:  Source      = 8:0:22:aa:22:2, Sun
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 84 bytes
IP:   Identification = 40933
IP:   Flags = 0x4
IP:         .1.. .... = do not fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 60 seconds/hops
IP:   Protocol = 51 (AH)
IP:   Header checksum = 22cc
…