This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi everybody. There are a lot of questions regrading L2TP/IPsec troubleshootin and little answers, but i have to try and check for your help.

I'm using Wireshark 2.0.1 (v2.0.1-0-g59ea380) that has Gcrypt (1.6.2).

I am in control of a VPN router server, with it's WAN static public IP (mu little bussiness store). On another ADSL connection i have my laptop with Windows 10. I create in the VPN Server a L2TP Server for Client-to-LAN:

  • List item
  • it's own local Ip address pool (172.30.10.10-20/24).
  • Account name: yyyy
  • Password: yxyxyx
  • Encryption: OM (IPsec - no configuration needed, just enable it)
  • Pre-shared key: aaaaaaa And it's done.

In my Windows 10 i create a VPN connection and configure:

  • List item
  • Account name: yyyy
  • IP server: WAN Static IP from L2TP server.
  • Choose VPN connection: L2TP/IPsec with pre-share key
  • Pre-shared key: aaaaa
  • Initial session information: user and password --> yyyy yxyxyxyx
  • Also in Control Panel - Networks and Internet - right click in the network connection just made.
  • Configure correctly security option (pre-shared key) and enable the use of the following protocols: CHAP and MS-CHAP v2.

After this i launch the connection and the tunnel is created. I can reach correctly the devices connected to VPN Server Router. I use Wireshark to capture all the packets directly from my W10 laptop, and i can see clearly the ISAKMP and ESP packets.

But i need to check the L2TP connection and for that i have to decrypt the ESP packets. In wireshark i configure the ESP protocol (Edit - Protocols - and choose ESP). At this point i am lost and although i've read many forums and Wikishark, i am not able to decrypt these packets. I am not an expert in Wireshark but have been working with it in order to learn. The following is a screenshot of the ESP configuration:

alt text although i'm not sure about the encryption and Authentication used by Windows 10. The VPN router also does not specifically inform of what kind of encryption and authentication is used by default. If i'm not correct the Encryptio usualy used is DES or 3DES. And the authentication used in IKE usualy is MD5. I tried some combinations, but there is no change in wireshark, once this configuration is applied. I've introduced in ESP configuration 2 entrances: one for the incoming packets and another for the outgoing packets.

  • At this point can anyone please help me? I'm sure a lot of people knows about this, so a little help, at least pointing me to a possible error, or some step i'm not doing or having in consideration in order to troubleshoot L2TP/IPsec issues.

Many thanks.

asked 20 Jun '16, 10:05

Portuguevos's gravatar image

Portuguevos
6113
accept rate: 0%

Hi again. I've been following other posts like https://wiki.wireshark.org/ESP_Preferences or http://www.spiceupyourknowledge.net/2012/11/decrypting-esp-packet-using-wireshark.html

I've downlowaded a pcap file with ESP packets, and applied the configuration in ESP configuration and in that example worked. But not in my case, and i have ALL the information. I tried with SPI is HEX, Decimal. The Keys i have are only numbers, and even so i cannot decrypt any of the ESP packets.

Also in order to know ALL information, i've made a VPN tunel with Shrew VPN Client against my VPM router. IKE proposal is using SHA1 Authentication, DES encryption, DH Group DH2, in both ends. IPsec proposal has the SECURITY PROTOCOL: ESP, ESP Authentication: SHA1 and ESP Encryption DES.

The tunel is correctly enabled and i can access the devices.

But again, in Wireshartk -> Preferences -> Protocols ESP, i fill all the information and ESP packets are still not decrypted.

Any idea? Many thanks.

(23 Jun '16, 07:59) Portuguevos

I doubt IKE using Diffie-Hellman is going to work, Wireshark won't have access to the encryption keys from the Pre-shared key only. See for instance https://ask.wireshark.org/questions/21011, which talks about this in the context of TLS

(24 Jun '16, 01:25) Jaap ♦

Hi Jaap. Thanks for the information. I'll check this situation. Although for the first case (main text), using only a L2TP VPN connection using microsoft integrated VPN client, DH (Diffie-Helman) is not being used. And even in that situation i cannot decrypt the messages. This second comment was a second test, but did not realize the DH situation. Many thanks.

(24 Jun '16, 01:35) Portuguevos

How are you getting the symmetric key for the DES encryption. I think you need to have the Phase2 symmetric key. DH is as I remember used during the phase1(possibly in ike key exchange)?? Will that even matter if you have phase2 keys?

(26 Dec '16, 01:30) koundi
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×45
×19
×8
×1

question asked: 20 Jun '16, 10:05

question was seen: 3,808 times

last updated: 26 Dec '16, 01:30

p​o​w​e​r​e​d by O​S​Q​A