+ Reply to Thread
Results 1 to 4 of 4
  1. nb-
    nb- is offline
    Member
    Join Date
    Nov 2012
    Posts
    38
    #1

    Default Turn off IPSEC on Site-to-Site VPN?

    Hi

    I'm making a presentation about Site-to-Site VPN between 2 Cisco ASA Firewalls for a school project. During the presentation i would like to show the difference between encrypted and unencrypted traffic. My plan is to have a VPN connection established between two ASA Firewalls (It has to be firewalls)
    I would like to turn off IPSEC, setup wireshark on a PC and send some ICMP traffic and then show what the ICMP packages looks like in plain text.. Then turn on IPSEC and once again show what the package looks like when its been encrypted.

    But is it even possible to turn off IPSEC on a site to site connection on a cisco ASA Firewall? I haven't been able to find any solution.. If there is one, could you please tell me the easiest one so that it can be turned on/off with a matter of one command or so?
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Kreken's Avatar
    Join Date
    Sep 2012
    Location
    NYC
    Posts
    280

    Certifications
    CCNP R&S, CCDP, CCNP:S
    #2
    I would suggest to replace ASAs with the routers. To make your point, you can setup a GRE tunnel and then apply ipsec profile to it.
    Reply With Quote Quote  

  4. Achieve excellence daily
    Join Date
    May 2012
    Location
    Washington State
    Posts
    1,342

    Certifications
    CISSP
    #3
    If you currently have tunnel mode you could show the completely encrypted traffic then switch to transport mode where the headers will be exposed.
    When you go the extra mile, there's no traffic.
    Reply With Quote Quote  

  5. Member
    Join Date
    May 2011
    Location
    Pittsburgh, Pa
    Posts
    75

    Certifications
    CCNA:R&S/S, CCNP:R&S, Security+, Palo Alto ACE v7.0
    #4
    Quote Originally Posted by Kreken View Post
    I would suggest to replace ASAs with the routers. To make your point, you can setup a GRE tunnel and then apply ipsec profile to it.

    This is probably the closest to what you described.

    You could also just show a packet capture between the two ASAs with just a routed link and then build the tunnel and pull another packet capture and show that the data is now encrypted but there isn't like an on/off switch for IPSEC on a VPN tunnel - its built into technology.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks