Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2688
Views
5
Helpful
6
Replies

Collect netflow data on the decrypted payload in IPSec traffic

Go to solution
SteffenT
Level 1
Level 1

‎01-04-2013 03:28 AM - edited ‎02-21-2020 06:35 PM

Hi,

I have a case where our client have an IPSec Site-to-Site tunnel where traffic is being hair-pinned on a 2901 router.

They would like to collect netflow data on the decrypted payload for accounting purposes.

The problem is that according to order-of-operations on the IOS router, the netflow is recorded before the packet is decrypted ingress, and after the packet is encrypted egress.

Is there a solution to this, or does anyone have any experience with alternate solutions for this scenario?

(e.g SPAN encrypted traffic to a second device which decrypts and generate netflow data?)

Best Regards,

Steffen

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to SteffenT

‎01-07-2013 12:17 AM

Hey Steffen,

Yes the cef path is then different[ Crypto map is an output feature while Tunnel Protection is a post-encap feature].

Therefore we can apply any output feature such as netflow on a tunnel or virtual-template interface since then we match the traffic post-decapsulation.

An example from one  of my box [ ping from  a vpn peer to 4.2.2.2 ]. Netflow catches the traffic after decryption.

R1-HUB#sh ip cache flow | i Vi1

Vi1           172.16.1.1      Et0/1         4.2.2.2         01 0000 0800   153

Cheers,

Olivier

View solution in original post

0 Helpful
6 Replies 6

Go to solution
jakewilson
Level 1
Level 1

‎01-04-2013 10:25 AM

Hello Steffen,

You may need to configure Flexible NetFlow.  Here are a couple blogs that explain it:

http://www.plixer.com/blog/network-traffic-analysis/sending-netflow-over-ipsec-tunnels/

http://www.plixer.com/blog/flexible-netflow/netflow-export-over-ipsec-tunnel/

If they help, please vote on my reply.

Thank you,

Jake Wilson

NetFlow Knight

0 Helpful

Go to solution
SteffenT
Level 1
Level 1
In response to jakewilson

‎01-05-2013 08:52 AM

Hi Jake,

Sorry, but you've misunderstood the question.

I dont want to export netflow data over the IPSec tunnel, I want to collect Netflow data based on the payload in the encrypted IPSec packet.

IE the flow between the actual hosts which is encapsulated inside the IPSec tunnel, not the IPSec packets between the VPN peers.

0 Helpful

Go to solution
olpeleri
Cisco Employee
Cisco Employee

‎01-06-2013 10:40 PM

Hey Steffen,

Instead of using a crypto map, if you would use a DVTI or VTI instead then you could apply netflow on the tunnel or on the virtual-template interface. That's the only workaround I've in mind.

Cheers,

Olivier

0 Helpful

Go to solution
SteffenT
Level 1
Level 1
In response to olpeleri

‎01-06-2013 11:15 PM

Hi Oliver,

Yea, we'll probably do that anyway, but will that solve my problem?

Does the tunnel interfaces have a different order of operation than physical interfaces?

0 Helpful

Go to solution
olpeleri
Cisco Employee
Cisco Employee
In response to SteffenT

‎01-07-2013 12:17 AM

Hey Steffen,

Yes the cef path is then different[ Crypto map is an output feature while Tunnel Protection is a post-encap feature].

Therefore we can apply any output feature such as netflow on a tunnel or virtual-template interface since then we match the traffic post-decapsulation.

An example from one  of my box [ ping from  a vpn peer to 4.2.2.2 ]. Netflow catches the traffic after decryption.

R1-HUB#sh ip cache flow | i Vi1

Vi1           172.16.1.1      Et0/1         4.2.2.2         01 0000 0800   153

Cheers,

Olivier

0 Helpful

Go to solution
SteffenT
Level 1
Level 1
In response to olpeleri

‎01-07-2013 12:41 AM

Awsome, thank you Oliver!

Customers Also Viewed These Support Documents