This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'd like to see decryption of encrypted ISAKMP traffic. I entered the cookie and the key into the IKEv1 Decryption Table, but in the ISAKMP packets, the "Encrypted Data" doesn't have the clicky-box to expand and see it decrypted. I'm using Wireshark 1.8.4 with GCrypt on Windows 7. Is there something else I need to do?

asked 07 Feb '13, 14:55

scherertim's gravatar image

scherertim
21113
accept rate: 0%

edited 07 Feb '13, 14:59


please read my answer of the following questions to see if there is anything that can help you.

http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-packets

Regards
Kurt

permanent link

answered 07 Feb '13, 16:27

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I did read that, thanks. No luck though. I'm using Windows IPSec rather than StrongSwan/Linux, so I copied the cookie from the Wireshark packets and got the key by converting the preshared string to hex with a helpful web calculator.

(07 Feb '13, 16:42) scherertim

got the key by converting the preshared string to hex with a helpful web calculator.

can you please post the URL for that web calculator? If it just 'converted' your PSK to hex, then you have two problems:

  1. you have exposed your PSK to an unknown party, probably with the IP address of your gateway. If so, I urgently recommend to change the PSK ;-))
  2. the PSK (even in HEX) and the enc key needed, is not the same thing! Unfortunately I don't know how to get the enc key in a windows environment. I'm not even sure if that information will be exposed by the system at all.
(07 Feb '13, 16:49) Kurt Knochner ♦

No worries about the security, it's just a test setup. The calculator is http://easycalculation.com/ascii-hex.php. I removed the spaces before entering it into Wireshark. But if the only problem is that I gave Wireshark the wrong key, wouldn't it decrypt the data and end up with garbage? It seems like it didn't even try, as if I missed a "Decrypt Now" button or something.

(08 Feb '13, 08:45) scherertim

But if the only problem is that I gave Wireshark the wrong key, wouldn't it decrypt the data and end up with garbage?

I guess so, however I never intentionally tried it with a wrong key. You can try it with the sample file and the crypto parameters in my answer to the question I mentioned, to see if IKE decryption works on your system.

BTW: What is your Wireshark version (wireshark -v)?

(08 Feb '13, 12:04) Kurt Knochner ♦

Version 1.8.4 (SVN Rev 46250 from /trunk-1.8). I get the same result with the sample file: no clickable box to show the decrypted data.

(08 Feb '13, 16:05) scherertim

O.K. I just tried it with 1.8.4 and you are right. It does not work any longer. I'll file a bug report and look into the code changes myself.

@Gerald Combs: The screenshots in my answer are missing (they were in the part "Result without decryption:" and "Result with decryption:". Is it possible to restore them?

(09 Feb '13, 02:36) Kurt Knochner ♦
showing 5 of 6 show 1 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×8
×6
×2
×1

question asked: 07 Feb '13, 14:55

question was seen: 6,374 times

last updated: 09 Feb '13, 02:36

p​o​w​e​r​e​d by O​S​Q​A