How to decrypt IPSEC packet using wireshark

Meddane · ‎04-23-2022

Sometimes you want to see how the tunnel and the transport modes works with encapsulation, especially when using GRE over IPSEC and you would like to decrypt the ESP or IPSEC packet to see how GRE packet is encapulated with the two modes, especially for studying , teaching or may be for troubleshooting.

Below how to do it:

Configue the ESP encryption with null in the transform set.

crypto ipsec transform-set TS esp-null esp-sha512-hmac

Copy the pre-shared key configured in phase 1 ISAKMP.

crypto isakmp key CISCO address 23.0.0.1

Open wireshark. right-click on the ESP packet, in this scenario the ESP SA from the source 12.0.0.1 to the destination 23.0.0.1. Under the Protocol Preferences, check the three options shown below.

Expand the Encapsulation Security Payload and copy the SPI value for this ESP SA.

0xdc1f45c1

Go back to Protocol Preferences, click on ESP SAs.

Enter the informations related to the ESP SA.

Protocol: IPv4
Src IP: 12.0.0.1
Dest IP: 23.0.0.1
SPI: 0xdc1f45c1
Encryption: NULL
Authentication: SHA512-hmac-512-256 [RFC4868]
Authentication Key: CISCO

Click OK, you should see the IPSec packet in clear text.

How to decrypt IPSEC packet using wireshark

AnyConnect Certificate Based Authentication.

Getting past intermittent/unexplained 802.1x problems on Windows 7

Insights About Multiple Vulnerabilities in Cisco Discovery Protocol Implementations (CDPwn)