Hi, I have the following topology for two systems which have an ipsec tunnel A[10.203.199.109]------------ B [10.203.199.126] I have configured ESP preferences in Wireshark running in B system with the information got from 'ip xfrm state' as mentioned below. When I send icmp ping packets/SCTP Hearbeat packets from A and start capturning the requests and responses in wireshark (System B), I observe that wireshark doesn't decrypt the response from B to A(they appear as ESP protocol packets) while the icmp requests/SCTP Hearbeat packets sent by A are displayed after decryption. Could you plese help me out? Wireshark Version used: 0.99.3a Output of 'ip xfrm state' in B: src 10.203.199.126 dst 10.203.199.109 proto esp spi 0xcb0232de reqid 1 mode tunnel replay-window 32 auth sha1 0x4e40e2628b172f0331393242f29ab1eba951c825 enc aes 0xc84d1235c49a83caadc9a330513ab281 src 10.203.199.109 dst 10.203.199.126 proto esp spi 0xcec7a22e reqid 1 mode tunnel replay-window 32 auth sha1 0x9fb4979b6d5807f7ca83e33c1c9cc993b6a93a7e enc aes 0x1cbc2ca4c000975b1c91dfb775cb9c7c ESP Preferences Configuration in B: SA #1:IPv4|10.203.199.109|10.203.199.126|* Encrypt Algorithm #1 : aes-cbc Authentication Algorithm #1:hmac-sha1-96 Encryption Key #1 : 0x1cbc2ca4c000975b1c91dfb775cb9c7c Authentication Key #1:x9fb4979b6d5807f7ca83e33c1c9cc993b6a93a7e SA #2: IPV4|10.203.199.126|10.203.199.109|* Encrypt Algorithm #2 :aes-cbc Authentication Algorithm #2:hmac-sha1-96 Encryption Key #2 : 0xc84d1235c49a83caadc9a330513ab281 Authentication Key #2:0x4e40e2628b172f0331393242f29ab1eba951c825 I've enabled "attempt to detect/decode encrypted ESP payloads" and "Attempt to check ESP Authentication" and both A and B are running Linux kernel version:2.6.18.1 and Regards, Sethu asked 29 Dec '10, 05:36  Sethuraman |
One Answer:
Your setup looks oke, apart from the ancient Wireshark version. Please take the capture and load it, and the configuration, in Wireshark 1.4.2 and see what comes out. answered 30 Dec '10, 02:48  Jaap ♦ |
