cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

How to decrypt IPSEC packet using wireshark

1483
Views
30
Helpful
0
Comments
Meddane
Rising star

Sometimes you want to see how the tunnel and the transport modes works with encapsulation, especially when using GRE over IPSEC and you would like to decrypt the ESP or IPSEC packet to see how GRE packet is encapulated with the two modes, especially for studying , teaching or may be for troubleshooting.

 

Below how to do it:

 

Configue the ESP encryption with null in the transform set.

crypto ipsec transform-set TS esp-null esp-sha512-hmac

Copy the pre-shared key configured in phase 1 ISAKMP.

crypto isakmp key cisco address 23.0.0.1

Open wireshark. right-click on the ESP packet, in this scenario the ESP SA from the source 12.0.0.1 to the destination 23.0.0.1. Under the Protocol Preferences, check the three options shown below.

1.PNG

 Expand the Encapsulation Security Payload and copy the SPI value for this ESP SA.

0xdc1f45c1

2.PNGGo back to Protocol Preferences, click on ESP SAs.

9.PNG

 Enter the informations related to the ESP SA.

Protocol: IPv4
Src IP: 12.0.0.1
Dest IP: 23.0.0.1
SPI: 0xdc1f45c1
Encryption: NULL
Authentication: SHA512-hmac-512-256 [RFC4868]
Authentication Key: cisco

7.PNG

Click OK, you should see the IPSec packet in clear text.

8.PNG

 

 

 

Create
Recognize Your Peers
Content for Community-Ad