IPsec and IKE Administration Guide

How to Verify That Packets are Protected

To verify that packets are protected, test the connection with the snoop command. The following prefixes can appear in the snoop output:


Note –

You must be root or an equivalent role to read the snoop output. You must have access to both systems to test the connection.


  1. On one system, such as partym, become root.


    % su 
    Password: root-password
    # 
  2. In a terminal window, begin to snoop the packets from another system, such as enigma.


    # snoop -v enigma
    Using device /dev/hme (promiscuous mode)
  3. In another terminal window, remotely log on to the enigma system. Provide your password. Then become root, and send a packet from enigma to the partym system.


    % rlogin enigma
    Password: your-password
    % su 
    Password: root-password
    # ping partym
    
  4. In the snoop window on partym, you should see output that looks something like the following:


    IP:   Time to live = 64 seconds/hops
    IP:   Protocol = 51 (AH)
    IP:   Header checksum = 4e0e
    IP:   Source address = 192.168.116.16, enigma
    IP:   Destination address = 192.168.13.213, partym
    IP:   No options
    IP:
    AH:  ----- Authentication Header -----
    AH:
    AH:  Next header = 50 (ESP)
    AH:  AH length = 4 (24 bytes)
    AH:  <Reserved field = 0x0>
    AH:  SPI = 0xb3a8d714
    AH:  Replay = 52
    AH:  ICV = c653901433ef5a7d77c76eaa
    AH:
    ESP:  ----- Encapsulating Security Payload -----
    ESP:
    ESP:  SPI = 0xd4f40a61
    ESP:  Replay = 52
    ESP:     ....ENCRYPTED DATA....
    
    ETHER:  ----- Ether Header -----
    ETHER:
    ETHER:  Packet 20 arrived at 9:44:36.59
    ETHER:  Packet size = 98 bytes
    ETHER:  Destination = 8:0:27:aa:11:11, Sun
    ETHER:  Source      = 8:0:22:aa:22:2, Sun
    ETHER:  Ethertype = 0800 (IP)
    ETHER:
    IP:   ----- IP Header -----
    IP:
    IP:   Version = 4
    IP:   Header length = 20 bytes
    IP:   Type of service = 0x00
    IP:         xxx. .... = 0 (precedence)
    IP:         ...0 .... = normal delay
    IP:         .... 0... = normal throughput
    IP:         .... .0.. = normal reliability
    IP:         .... ..0. = not ECN capable transport
    IP:         .... ...0 = no ECN congestion experienced
    IP:   Total length = 84 bytes
    IP:   Identification = 40933
    IP:   Flags = 0x4
    IP:         .1.. .... = do not fragment
    IP:         ..0. .... = last fragment
    IP:   Fragment offset = 0 bytes
    IP:   Time to live = 60 seconds/hops
    IP:   Protocol = 51 (AH)
    IP:   Header checksum = 22cc
    …