I am trying to decrypt the ESP packets in both directions in Wireshark (Version 2.0.5 for OSX). I can add a single entry (SRC A --> DST B) to the ESP SA table and this works fine. However, when I add a second entry (SRC B --> DST A) for the opposite direction this entry does not work. I can add the entry for SRC B --> DST A as a single entry and it decrypts without issue. Is there something obvious I am missing to enable reading more than the first line in the ESP SA table? Thanks, asked 12 Aug '16, 03:19  Walt |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Are you using the same key for both directions or different keys? And if you're using different keys, are they both correct? Also are the SPI for both directions the same or different?
Yes, I am using different keys in each direction, and the SPI is also different in each direction too. I am gathering all the IPSec info for each direction using the 'ip xfrm state' command. I can decrypt either direction without issue when the SA information is in line 1 of the ESP SA table, but the second entry in the table does not seem to be read; it doesn't matter which way I add the entries to the table only the first one will be decrypted.