Are you having trouble exporting encrypted NetFlow traffic over your IPsec tunnel? When using a IPsec encrypted VPN, packets transferred are required to have the same output features of the tunnel; namely QoS and Encryption. Only if the output features are applied on the packets will they be sent to the destination over the VPN. This post will tell you how to get the data you want. 
When it comes to self-generated NetFlow, the output features will not take effect on these packets; so the NetFlow packets coming from a device that is the source of a tunnel will not be encrypted. This prevents the NetFlow packets from being sent over a IPsec tunnel to its destination. However there is a command that can be added to the FnF (aka Flexible NetFlow) export called “output-features” that could help. This IS REQUIRED to be in the FnF Configuration if you want to set DSCP or use encryption (e.g. VPN tunnels) on the device.
Now the second part of my Flexible NetFlow configuration looks like this:
Conf t
flow exporter export-to-ravica-replicator
description flexible NF v9
destination 10.1.4.66
source Vlan1
output-features
transport udp 9996
template data timeout 60
option interface-table
option exporter-stats
option application-table
Cisco’s Flexible NetFlow documentation says this “To enable sending Flexible NetFlow export packets using quality of service (QoS) or encryption, use the output-features command in Flexible NetFlow flow exporter configuration mode. To disable sending export packets using QoS or encryption, use the no form of this command:
- output-features
- no output-features
This NetFlow encryption configuration is helpful for getting NetFlow over VPN tunnels and is one of many NetFlow output features possible with Flexible NetFlow. Download the award winning, best NetFlow analyzer. Do you still have questions or suggestions when monitoring an IPsec tunnel? Feel free to post them in the comments below.