Method used to view a captured IPSec-encrypted packet

0

You can view a captured IPSec-encrypted packet as follows:
On the USG firewall, check whether an IPSec packet can be captured.
The USG firewall can capture an IPSec packet but you cannot view the protected packet.

Other related questions:
Capturing packets to view IPSec encrypted data packets
Capturing packets to view IPSec encrypted data packets Can IPSec packets be captured on the USG? You can capture and view IPSec packets but not protected data packets on the USG.

capture packet to check the data that ipsec have encrypted
USG can capture and view the IPSec protocol packets, but can not view the protected data packets

Method used to view packet loss information if packets cannot be captured on interfaces
If you cannot capture packets on firewall interfaces but you want to view packet loss information, you can use the quintuple packet capture statistics function. The operation is as follows: 1. Create an ACL. [system] acl 3999 [system-acl-adv-3999] rule 5 permit icmp source 10.2.4.2 0 destination 10.2.2.2 0 [system] diagnose [system-diagnose] firewall statistic acl 3999 enable 3. View quintuple packet capture statistics information. system-view [sysname] diagnose [sysname-diagnose] display firewall statistics acl ******************************************************************************** * Summary of ACL-based packet statistics * ******************************************************************************** SLOT 1 CPU 1 RcvnFrag RcvFrag Forward DisnFrag DisFrag Obverse(pkts) : 100 0 95 0 0 Reverse(pkts) : 100 0 100 0 0 SLOT 1 CPU 3 RcvnFrag RcvFrag Forward DisnFrag DisFrag Obverse(pkts) : 2 0 2 0 0 Reverse(pkts) : 1 0 1 0 0 SLOT: 2 Fastforward Discard Obverse(pkts) : 98 0 Reverse(pkts) : 999 0 Detailed information of discarded packets: ******************************************************************************** * Detailed information of ACL-based packet statistics * ******************************************************************************** Protocol(udp) SourceIp(10.2.4.2) DestinationIp(10.2.2.2) SourcePort(333) DestinationPort(444) VpnIndex(public) RcvnFrag RcvFrag Forward DisnFrag DisFrag Obverse(pkts) : 2 0 2 0 0 Reverse(pkts) : 1 0 1 0 0 Discard detail information: Protocol(udp) SourceIp(10.2.4.2) DestinationIp(10.2.2.2) SourcePort(555) DestinationPort(666) VpnIndex(public) RcvnFrag RcvFrag Forward DisnFrag DisFrag Obverse(pkts) : 100 0 95 5 0 Reverse(pkts) : 100 0 100 0 0 Discard detail information: Packet filter packets discarded: 5 Please check the security policy and whether the interface added to a security zone. 4. After locating the problem, run the undo firewall statistics acl command to disable the quintuple packet statistics function to prevent adverse impact on device performance.

IPSec packet forwarding flow on the USG5000
In the NGFW processing flow, the IPSec processing is after the NAT, route, and security policy processing, so that the firewall does not process, based on NAT policies, packets protected by the IPSec policies, and these packets can be delivered, by matching routes and security policies, to the interface that adopts the IPSec security policy. The specific requirements are as follows: 1. Packets arriving at the NGFW cannot match the server map table or reversed server map table established by the NAT server. Otherwise, destination addresses in the packets are translated. 2. Packets arriving at the NGFW cannot match the destination NAT policies. Otherwise, destination addresses in the packets are translated. 3. A route (generally the default route) destined for the IKE peer private network must exist in the routing table. The outbound interface of the route must apply the IPSec policies. If no route is matched, the packets are discarded; if the outbound interface matching the route does not apply the IPSec policies, the packets cannot be delivered to the IPSec processing module but are sent in plain text. 4. Generally, the IPSec VPN data flow is transmitted between zones. Therefore, the inter-zone packet filter function between the source zone (where the intranet interface resides) and the destination zone (where the external network interface that applies the IPSec policies resides) must be enabled. Otherwise, the packets are discarded. 5. The source NAT for the packets that pass the inter-zone packet filter policy check is optional. When the packets match the inter-zone NAT policies of the source NAT, the source addresses in the packets are translated. The source IP addresses after the translation are used to match the security ACL rules. The packets that do not match the inter-zone NAT policies are directly delivered to the IPSec processing module. 6. The packets arriving at the IPSec processing module can only be protected when they match the security ACL rules. Otherwise, the packets are discarded.

Encryption and authentication algorithms used in IPSec to guarantee packet transmission security on the USG6000 series
Encryption algorithm AES and authentication algorithms SHA2-256, SHA2-384, and SHA2-512 are recommended to improve packet transmission security, whereas encryption algorithms DES and 3DES and authentication algorithms MD5 and SHA-1 are not recommended.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top