This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I have the following topology for two systems which have an ipsec tunnel A[10.203.199.109]------------ B [10.203.199.126]

I have configured ESP preferences in Wireshark running in B system with the information got from 'ip xfrm state' as mentioned below.

When I send icmp ping packets/SCTP Hearbeat packets from A and start capturning the requests and responses in wireshark (System B), I observe that wireshark doesn't decrypt the response from B to A(they appear as ESP protocol packets) while the icmp requests/SCTP Hearbeat packets sent by A are displayed after decryption.

Could you plese help me out?

Wireshark Version used: 0.99.3a

Output of 'ip xfrm state' in B: src 10.203.199.126 dst 10.203.199.109 proto esp spi 0xcb0232de reqid 1 mode tunnel replay-window 32 auth sha1 0x4e40e2628b172f0331393242f29ab1eba951c825 enc aes 0xc84d1235c49a83caadc9a330513ab281 src 10.203.199.109 dst 10.203.199.126 proto esp spi 0xcec7a22e reqid 1 mode tunnel replay-window 32 auth sha1 0x9fb4979b6d5807f7ca83e33c1c9cc993b6a93a7e enc aes 0x1cbc2ca4c000975b1c91dfb775cb9c7c

ESP Preferences Configuration in B: SA #1:IPv4|10.203.199.109|10.203.199.126|* Encrypt Algorithm #1 : aes-cbc Authentication Algorithm #1:hmac-sha1-96 Encryption Key #1 : 0x1cbc2ca4c000975b1c91dfb775cb9c7c Authentication Key #1:x9fb4979b6d5807f7ca83e33c1c9cc993b6a93a7e

SA #2: IPV4|10.203.199.126|10.203.199.109|* Encrypt Algorithm #2 :aes-cbc Authentication Algorithm #2:hmac-sha1-96 Encryption Key #2 : 0xc84d1235c49a83caadc9a330513ab281 Authentication Key #2:0x4e40e2628b172f0331393242f29ab1eba951c825

I've enabled "attempt to detect/decode encrypted ESP payloads" and "Attempt to check ESP Authentication" and both A and B are running Linux kernel version:2.6.18.1 and

Regards, Sethu

asked 29 Dec '10, 05:36

Sethuraman's gravatar image

Sethuraman
1111
accept rate: 0%


Your setup looks oke, apart from the ancient Wireshark version. Please take the capture and load it, and the configuration, in Wireshark 1.4.2 and see what comes out.

permanent link

answered 30 Dec '10, 02:48

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×40
×39
×32
×20
×4

question asked: 29 Dec '10, 05:36

question was seen: 7,103 times

last updated: 30 Dec '10, 02:48

p​o​w​e​r​e​d by O​S​Q​A