Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
14402
Views
30
Helpful
0
Comments

How to decrypt IPSEC packet using wireshark

Meddane
VIP
VIP
‎04-23-2022 03:29 PM

Sometimes you want to see how the tunnel and the transport modes works with encapsulation, especially when using GRE over IPSEC and you would like to decrypt the ESP or IPSEC packet to see how GRE packet is encapulated with the two modes, especially for studying , teaching or may be for troubleshooting.

 

Below how to do it:

 

Configue the ESP encryption with null in the transform set.

crypto ipsec transform-set TS esp-null esp-sha512-hmac

Copy the pre-shared key configured in phase 1 ISAKMP.

crypto isakmp key cisco address 23.0.0.1

Open wireshark. right-click on the ESP packet, in this scenario the ESP SA from the source 12.0.0.1 to the destination 23.0.0.1. Under the Protocol Preferences, check the three options shown below.

1.PNG

 Expand the Encapsulation Security Payload and copy the SPI value for this ESP SA.

0xdc1f45c1

2.PNGGo back to Protocol Preferences, click on ESP SAs.

9.PNG

 Enter the informations related to the ESP SA.

Protocol: IPv4
Src IP: 12.0.0.1
Dest IP: 23.0.0.1
SPI: 0xdc1f45c1
Encryption: NULL
Authentication: SHA512-hmac-512-256 [RFC4868]
Authentication Key: cisco

7.PNG

Click OK, you should see the IPSec packet in clear text.

8.PNG

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents