This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm trying to decrypt ESP packets that I captured. I have a VPN setup using L2TP. I've read the http://wiki.wireshark.org/ESP_Preferences page. However, I don't know how to verify all the fields required for a windows 7 Machine. For example the Encryption Algorithm, Authentication Algorithm, Encryption key ect. Any guidance would be greatly appreciated.

asked 26 Jul '12, 09:01

milesmeridith's gravatar image

milesmeridith
1111
accept rate: 0%


Please see my answer here: http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-packets

Search for "ESP Decryption".

To be able to decrypt ESP packets you need a lot of internal state data from your IPSEC implementation. Some Linux versions will give access to that data with this command: ip xfrm state. So, we need to figure out how to get that data from your L2TP server.

Is your L2TP server:

  • a windows system (which one)
  • a firewall/vpn device (which one)
  • a Linux/Unix system (which one)

UPDATE:

It's a SonicWall

You need to boot a debug kernel (diagnostics firmware).

http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=TN&id=240

Then run some of the IPSEC debug commands mentioned in that document. I suggest at least these three:

ipsec_debug=10
DumpIpsecSadb
PrintIpsecSas

Maybe there is a way to get that information from the Windows 7 client as well, however I can't find any decent information about that.

Regards
Kurt

permanent link

answered 26 Jul '12, 09:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Jul '12, 10:23

It's a sonicwall FW. Thank you for your help btw.

(26 Jul '12, 09:37) milesmeridith

I'll have to check how to get the required data from SonicWall debug output, if it's possible at all...

UPDATE: see my update in the answer

(26 Jul '12, 09:39) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×45
×20
×19
×8
×2

question asked: 26 Jul '12, 09:01

question was seen: 13,041 times

last updated: 26 Jul '12, 10:23

p​o​w​e​r​e​d by O​S​Q​A