Hello,

I'm playing around with some IP sec stuff. Here is my question, if I sniff traffic, and only use AH (authentication mode) will I still see ESP in the frame? or if i see ESP (encapsulation) am i also running encryption?

3/27/2009 8:26:37 AM

Hello,

i don't know.

3/27/2009 8:28:45 AM

If you're only using AH, then you won't see ESP, because it won't be there


You can use AH alone, concurrently with ESP, or if you're tunneling, you can nest them.

3/27/2009 9:25:02 AM

Okay,

Thats what i though, the security people are saying they are only running AH mode, but my sniffing doesnt reflect that.

This is what ig et when i capture a packet.






[Edited on March 27, 2009 at 9:53 AM. Reason : dd]

3/27/2009 9:51:04 AM

ESP can do authentication-only, the entire packet doesn't have to be encrypted... although i'm not sure why you'd want to do that.

if you were using AH, you'd see most of the IP header encapsulated as well.

3/27/2009 10:38:13 AM

Here is the situation,

The network admin/security peoples, are complaining about some of our traffic generated by administrative tools.

So im arguing that the traffic between computers is safe because were running IPSEC

they say Where only running IPSEC in AH mode, however when i do a sniff I see ESP packets between computers and between computers and servers.

What im trying to find out is if they ONLY run AH will I see ESP? I need to know 100% if they are actually encrypted or not. Not just well I see ESP, but on the other hand i don't have 100% confidence that they have IPSEC setup correctly.

Were on a 2003 domain.

Im not a networking guru, I have the meager amount i picked up during training.

Ive been looking around for actual dissection of a IPSEC packet, but I cant find anything, only basic diagrams showing the makeup, nothing like ethereal logs with explanations.

[Edited on March 27, 2009 at 11:10 AM. Reason : dd]

3/27/2009 11:08:06 AM

Quote :

"What im trying to find out is if they ONLY run AH will I see ESP?"

No. If ONLY AH is running, you should not see ESP.


this might be somewhat helpful for comparison's sake:

http://packetlife.net/captures/IPsec_ESP-AH_tunnel_mode.cap
and this:
http://www.cisco.com/en/US/docs/net_mgmt/vpn_solutions_center/2.0/ip_security/provisioning/guide/IPsecPG1.html

3/27/2009 11:15:36 AM

hmm, i need to setup a hub and see if i can sniff it and read the contents.

3/27/2009 3:36:13 PM

if you see ESP, you're running ESP.

ESP can be configured to just provide authenticity verification, though, and not encrypt the payload. check for that.

3/27/2009 6:24:36 PM

Yea,

Looks like we are running AH, seems like its being encrypted with Null.

3/30/2009 8:42:36 AM