This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting L2TP/IPsec, ESP

1

Hello,

I need to diagnose L2TP/Ipsec VPN Connection which has encrypted packets exchanged between the server and client. Is there any way to test the connection by decrypting the packets using wireshark, like we do it for SSL/TLS connection using the private key/pem file. If there is some other way out there I would be very thankful for the same. Also, when I am trying to capture packets in wireshark while initiating L2TP connection I cannot see l2tp packets in the capture. But can only see ISAKMP and ESP packets in the capture. The filter I have used in wireshark is 'isakmp or esp or l2tp' [Info] Wireshark: Version 1.6.8 (SVN Rev 42761 from /trunk-1.6) Mac OSx 10.7 Client and Server

Thank you.

This question is marked "community wiki".

asked 13 Jul '12, 15:04

Azee's gravatar image

Azee
1113
accept rate: 0%

edited 13 Jul '12, 15:11


One Answer:

1

To decrypt ESP, you must give Wireshark details about the SA (http://wiki.wireshark.org/ESP_Preferences). You can get those details either from an IPSEC debug log or from internal state tables of the IPSEC implementation. For Mac OS X: take a look at the man page of your IPSEC implementation how to enable debug logs or how to extract the SA information. I don't know how to do that on Mac OS X.

Also, when I am trying to capture packets in wireshark while initiating L2TP connection I cannot see l2tp packets in the capture. But can only see ISAKMP and ESP packets in the capture.

because you are encapsulating L2TP in IPSEC (L2TP over IPSEC). L2TP does not provide encryption itself, that's why it is combined with IPSEC. Unless you are able to decrypt the ESP packets, you won't see the L2TP communication.

If there is some other way out there I would be very thankful for the same.

You say, both L2TP client and server are Mac OS X 10.7. If so, you should have configured vpnd and pppd. Both provide some form of debug logging (see man pages). Maybe that helps to identify your problem, besides decrypting the traffic with Wireshark.

Regards
Kurt

answered 13 Jul '12, 16:50

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 13 Jul '12, 17:00

To extract SA information in MAC OS X (at least in 10.9): sudo setkey -D

(22 Aug '14, 06:36) nnkken