Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Can Flowmon display data encapsulated in ESP protocol?

 

Information

 

Summary:

Flowmon can display ESP traffic only in special cases in which the traffic is unencrypted. However in most cases, it can't.

Environment:

Product: Flowmon

Version: Any

Platform: Any

Question/Problem Description:

We think it can't show anything since it is ESP traffic, is that correct?

In Probe's monitoring port settings, ESP can be selected as the tunnel protocol decapsulation.
We assume Flowmon cannot decrypt ESP traffic, what does this check control?

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:

 

Cause:  
Resolution:

There is the "ESP" decapsulation option on the monitoring port.

ESP.png

This option enables ESP tunnel parsing when the ESP payload is not encrypted, which is not the case here.

The decapsulation option on the monitoring port works only for the "null encryption", which means that the ESP communication isn't encrypted. It is used only in special rare cases. See the RFC:

https://datatracker.ietf.org/doc/html/rfc2410


In every other case Flowmon cannot see (decipher) ESP communication - to decipher such communication, the Flowmon appliance would effectively need to function as Man in the middle attacker, which is not the goal of the passive monitoring that Flowmon provides.

Workaround:  
Notes:  

Was this article helpful?
0 out of 0 found this helpful

Comments