The best way is actually using SNMP and collecting statistics for the tunnel interface.
A secondary approach is to enable QoS on the interface without setting a restrictive profile no limits, no QoS policy) you can then look at the live statistics for the encrypted traffic. drawback here is that you'll only get live statistics, nothing historical.
on this topic: use GCM instead of CBC, and diffie hellman groups 19 (256bit) or 20 (384bit) elliptic curve instead of large bit modulus (group 14 is 2048 bit modulus for example)
The best way is actually using SNMP and collecting statistics for the tunnel interface.
A secondary approach is to enable QoS on the interface without setting a restrictive profile no limits, no QoS policy) you can then look at the live statistics for the encrypted traffic. drawback here is that you'll only get live statistics, nothing historical.
IPSec itself adds overhead, so you can put less "useful" data inside each packet, but there some things you could try:
* sha-1
* aes128
Fast and secure hashing and encryption algorithms.
Thanks,
myky
on this topic: use GCM instead of CBC, and diffie hellman groups 19 (256bit) or 20 (384bit) elliptic curve instead of large bit modulus (group 14 is 2048 bit modulus for example)
Thank you both!