This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decrypting ESP packets, verifying IPSec settings

0

I'm trying to decrypt ESP packets that I captured. I have a VPN setup using L2TP. I've read the http://wiki.wireshark.org/ESP_Preferences page. However, I don't know how to verify all the fields required for a windows 7 Machine. For example the Encryption Algorithm, Authentication Algorithm, Encryption key ect. Any guidance would be greatly appreciated.

asked 26 Jul '12, 09:01

milesmeridith's gravatar image

milesmeridith
1111
accept rate: 0%

One Answer:

0

Please see my answer here: http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-packets

Search for "ESP Decryption".

To be able to decrypt ESP packets you need a lot of internal state data from your IPSEC implementation. Some Linux versions will give access to that data with this command: ip xfrm state. So, we need to figure out how to get that data from your L2TP server.

Is your L2TP server:

  • a windows system (which one)
  • a firewall/vpn device (which one)
  • a Linux/Unix system (which one)

UPDATE:

It's a SonicWall

You need to boot a debug kernel (diagnostics firmware).

http://www.sonicwall.com/app/projects/file_downloader/document_lib.php?t=TN&id=240

Then run some of the IPSEC debug commands mentioned in that document. I suggest at least these three:

ipsec_debug=10
DumpIpsecSadb
PrintIpsecSas

Maybe there is a way to get that information from the Windows 7 client as well, however I can't find any decent information about that.

Regards
Kurt

answered 26 Jul '12, 09:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 26 Jul '12, 10:23

It's a sonicwall FW. Thank you for your help btw.

(26 Jul '12, 09:37) milesmeridith

I'll have to check how to get the required data from SonicWall debug output, if it's possible at all...

UPDATE: see my update in the answer

(26 Jul '12, 09:39) Kurt Knochner ♦