I have a virtual network setup of 2 ubuntu and 2 IPFire with a fifth virtual machine on which I installed Wireshark, I named that VM "Sniffer". Each ubuntu is connected to an IPFire which acts as a gateway connected to another network which is exactly the same. I have been able to monitor the packets flowing from network 1 to network 2, including IPsec ESP packets, put I have no idea on how can I decrypt this packets through Wireshark. What do I need to do or have to decrypt IPsec packets using Wireshark? I am using IKEv2 ESP Encryption. I just need to be put on the road :) asked 26 Oct '14, 05:52  Mohamed Ahmed edited 26 Oct '14, 06:15 |
2 Answers:
Have you looked at the wiki page for esp? answered 26 Oct '14, 06:54  grahamb ♦ edited 26 Oct '14, 06:56 |
Additionally to the wiki, you could check/read my answer to a similar question.
Regards answered 26 Oct '14, 15:21  Kurt Knochner ♦ |
To be honest, I have seen it but not read it. But it seems that the only way I can decrypt ESP packets using Wireshark is by providing it with the security parameters of the tunnel, so it doesn't allow me to crack IPsec without an insider knowledge of the security tunnel being inspected. Is that the correct understanding of the situation?
Yes this is correct.
If you could simply decrypt the packets off the wire, with no information other than the packets themselves, that would kind of defeat the purpose of ESP and encryption altogether. :)
Yes, I thought so. But I guess everything is cracked by the NSA, but we don't have their tools :)