Showing results for 
Search instead for 
Did you mean: 

How to see IKE/IPsec Encryption/Authentication Keys

Hello experts,

I'm interested to know if on the Cisco ASA there is a way to view the IKE encryption keys. More specifically, I want to do a packet capture in GNS3 (consider this a whitehat experiment) and decrypt IKE_Auth packets which are encrypted with keys negotiated in the IKE_SA_INIT exchange.

Wireshark offers this functionality from Main Menu -> Preferences -> Protocols -> ISAKMP. 

Is there any way (show command, debug, logs) to get these values (SK_ei, SK_er, SK_ai, SK_ar) for any particular IKE SA on the ASA ?


5 Replies 5

Up. Does anyone know ?


If you are referring to PSK configured on ASA, which is by standard "show run" command displayed as ****, you can see actual configured PSK by using command "more system:running-config". This way, you could see your other keys, hidden in "show run" command (e.g. your  AAA server PSK, or SNMP server community).

Additionally, you can narrow your search a bit by specific peer using "more system:running-config | begin IP_address".

An example if used show would be:

LAB-ASA# show run | b
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
ikev1 pre-shared-key *****

or by using comand more:

LAB-ASA# more system:running-config | b
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
ikev1 pre-shared-key rEu!4q.W@ojR!zpHT#u.6b


I hope this helps.

Best regards


No, I'm not referring to the encrypted PSK key. I'm referring to the SK_ei and SK_er values used to encrypt all IKE messages following IKE_SA_Init. 


Basically I want to use wireshark to decrypt the IKE_Auth, Create_Child_SA and Informational exchanges.

See also (links from other vendor sites):


I don't remember I ever read anywhere that actual keying material can be retrieved, as this is done dynamically, using DH algorithm.

Only output that I could think of that could have even close material as such would be output of the debug, as that one contains most detailed information about what is happening during tunnel establishment.

Here is an example of such configuration, debug commands and output:

ASA IKEv2 Debugs for Site-to-Site VPN with PSKs

However, in this post it is clearly stated:

It also computes a skeyid value, from which all keys can be derived for this IKE_SA. All but the headers of all the messages that follow are encrypted and authenticated. The keys used for the encryption and integrity protection are derived from SKEYID and are known as: a. SK_e (encryption). b. SK_a (authentication). c. SK_d is derived and used for derivation of further keying material for CHILD_SAs. A separate SK_e and SK_a is computed for each direction.

So I would say that what you are trying to achieve is not possible with Cisco ASA. From the links that you've provided, I can see that it is not possible with Juniper SRX either.


Best regards

I don't have much experience with the ASA and I thought there might be a way to see the SK values, so the question was worth asking. 

Review Cisco Networking for a $25 gift card