Re: How to see IKE/IPsec Encryption/Authentication Keys

chira.cipri@gmail.com · ‎08-29-2019

Hello experts,

I'm interested to know if on the Cisco ASA there is a way to view the IKE encryption keys. More specifically, I want to do a packet capture in GNS3 (consider this a whitehat experiment) and decrypt IKE_Auth packets which are encrypted with keys negotiated in the IKE_SA_INIT exchange.

Wireshark offers this functionality from Main Menu -> Preferences -> Protocols -> ISAKMP.

Is there any way (show command, debug, logs) to get these values (SK_ei, SK_er, SK_ai, SK_ar) for any particular IKE SA on the ASA ?

chira.cipri@gmail.com · ‎08-31-2019

Up. Does anyone know ?

Milos_Jovanovic · ‎09-01-2019

Hi,

If you are referring to PSK configured on ASA, which is by standard "show run" command displayed as ****, you can see actual configured PSK by using command "more system:running-config". This way, you could see your other keys, hidden in "show run" command (e.g. your AAA server PSK, or SNMP server community).

Additionally, you can narrow your search a bit by specific peer using "more system:running-config | begin IP_address".

An example if used show would be:

LAB-ASA# show run | b 192.168.185.49
tunnel-group 192.168.185.49 type ipsec-l2l
tunnel-group 192.168.185.49 ipsec-attributes
ikev1 pre-shared-key *****

or by using comand more:

LAB-ASA# more system:running-config | b 192.168.185.49
tunnel-group 192.168.185.49 type ipsec-l2l
tunnel-group 192.168.185.49 ipsec-attributes
ikev1 pre-shared-key rEu!4q.W@ojR!zpHT#u.6b

I hope this helps.

Best regards

chira.cipri@gmail.com · ‎09-01-2019

Hello,

No, I'm not referring to the encrypted PSK key. I'm referring to the SK_ei and SK_er values used to encrypt all IKE messages following IKE_SA_Init.

Basically I want to use wireshark to decrypt the IKE_Auth, Create_Child_SA and Informational exchanges.

See also (links from other vendor sites):
https://forums.juniper.net/t5/SRX-Services-Gateway/Decrypting-IKEv2-Messages-on-SRX/m-p/465954#M54229
https://inside.fortinet.com/doku.php?id=ipsec:keys

Milos_Jovanovic · ‎09-01-2019

Hi,

I don't remember I ever read anywhere that actual keying material can be retrieved, as this is done dynamically, using DH algorithm.

Only output that I could think of that could have even close material as such would be output of the debug, as that one contains most detailed information about what is happening during tunnel establishment.

Here is an example of such configuration, debug commands and output:

ASA IKEv2 Debugs for Site-to-Site VPN with PSKs

However, in this post it is clearly stated:

It also computes a skeyid value, from which all keys can be derived for this IKE_SA. All but the headers of all the messages that follow are encrypted and authenticated. The keys used for the encryption and integrity protection are derived from SKEYID and are known as: a. SK_e (encryption). b. SK_a (authentication). c. SK_d is derived and used for derivation of further keying material for CHILD_SAs. A separate SK_e and SK_a is computed for each direction.

So I would say that what you are trying to achieve is not possible with Cisco ASA. From the links that you've provided, I can see that it is not possible with Juniper SRX either.

Best regards

chira.cipri@gmail.com · ‎09-01-2019

I don't have much experience with the ASA and I thought there might be a way to see the SK values, so the question was worth asking.