"proving" encryption

Hi everyone,
I'm trying a little experiment with our Juniper SA-4000's, but this situation could probably apply to any networking devices.
I want to be able to "prove" that my encryption is working over our VPN sessions. We have a suspicion that some clients may only be connecting with AES128/MD5 encryption when they should really be connecting with AES256/SHA. I don't see where I can verify this in the logs, but I'd like to independently verify it anyway. Any ideas on how I can go about doing this?

Thanks in advance,
mrplaid

EDIT:
Hi guys, just wanted to say thanks for all the helpful responses! I ended up using Wireshark to capture some (what I think are) encrypted packets to prove that the encryption was working. I haven't been able to find an equivalent of the 'get sa' command using the WebUI for our Juniper box, so I'm trying to figure out other ways to glean that information. This is has become one of those "the more you learn the more you realize you don't know" sort of things, which is good.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Bl8ckr0uter

You could sniff the traffic to prove encryption....

chrisone

Aside from sniffing, the logs could help you too.

Not sure how it done in juniper but if you could see the IPSEC SA's , in cisco they show you the encryption and hash being used for each unidirectional SA for each end, be it host to host, network to host , or network to network.

instant000

Try "get sa" that output should offer what you need.

Paris-> get sa
 total configured sa: 1
 HEX ID    Gateway Port Algorithm     SPI      Life:sec kb    [B][COLOR=#ff0000]Sta[/COLOR][/B] PID vsys
 00000001< 1.1.1.1 500  esp:3des/sha1 e37791d3 3596     unlim [B][COLOR=#ff0000]A/-[/COLOR][/B] 2 0
 00000001> 1.1.1.1 500  esp:3des/sha1 883ebdb8 3596     unlim [B][COLOR=#ff0000]A/-[/COLOR][/B] 1 0

If you're trying to correlate that HEX id at the beginning, it'll be the number you see at the end of the lines, for the policies you have configured for your tunnels. in the configuration.

Try "get policy id nn" to get those

For example: "get policy id "01"

what I can't verify at this moment is if it wants you to enter "0x01" or not, as I don't have screenOs running at home at the moment.

Hope this helps!