Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
19032
Views
30
Helpful
4
Comments

How to decrypt IPSEC packet using wireshark

Meddane
VIP
VIP
‎04-23-2022 03:29 PM

Sometimes you want to see how the tunnel and the transport modes works with encapsulation, especially when using GRE over IPSEC and you would like to decrypt the ESP or IPSEC packet to see how GRE packet is encapulated with the two modes, especially for studying , teaching or may be for troubleshooting.

 

Below how to do it:

 

Configue the ESP encryption with null in the transform set.

crypto ipsec transform-set TS esp-null esp-sha512-hmac

Copy the pre-shared key configured in phase 1 ISAKMP.

crypto isakmp key CISCO address 23.0.0.1

Open wireshark. right-click on the ESP packet, in this scenario the ESP SA from the source 12.0.0.1 to the destination 23.0.0.1. Under the Protocol Preferences, check the three options shown below.

1.PNG

 Expand the Encapsulation Security Payload and copy the SPI value for this ESP SA.

0xdc1f45c1

2.PNGGo back to Protocol Preferences, click on ESP SAs.

9.PNG

 Enter the informations related to the ESP SA.

Protocol: IPv4
Src IP: 12.0.0.1
Dest IP: 23.0.0.1
SPI: 0xdc1f45c1
Encryption: NULL
Authentication: SHA512-hmac-512-256 [RFC4868]
Authentication Key: CISCO

7.PNG

Click OK, you should see the IPSec packet in clear text.

8.PNG

 

 

 

4 Comments
steff
Level 1
Level 1
‎10-07-2024 12:20 AM
‎10-07-2024 12:20 AM

This article contains false information: 

  • With esp-null, the data transmitted is already in clear text. Only data integrity and authentication could be guaranteed.
  • Entering SA (Source/Destination/SPI) does only helps wireshark to decode (display) the plain text ICMP Packet.
  • hence we are looking at ESP and not IKSMP, entering the authentication key does nothing.
  • The entered authentication key are also not correct (CISCO vs cisco)
  • This post has nothing to do with ESP decryption.
  • Using public IP space that you do not own is not good practice. You should use documentation areas for lab environments.
  • Please do not delete constructive comments!
0 Helpful
Meddane
VIP
VIP
‎10-08-2024 12:25 AM
‎10-08-2024 12:25 AM

@steff First, did you read RFC 2410 titled "The NULL Encryption Algorithm and Its Use With IPsec"  that explains in details the NULL encryption. See the following section:

 

The NULL
   encryption algorithm is a convenient way to represent the option of
   not applying encryption.  This is referred to as ESP_NULL in [DOI].

   The IPsec Authentication Header [AH] specification provides a similar
   service, by computing authentication data which covers the data
   portion of a packet as well as the immutable in transit portions of
   the IP header.  ESP_NULL does not include the IP header in
   calculating the authentication data.  This can be useful in providing
   IPsec services through non-IP network devices.  The discussion on how
   ESP_NULL might be used with non-IP network devices is outside the
   scope of this document.

Basically we agree NULL is an encryption algorithm.

Second, in the real world,  VPNs always uses encryption of the data, NULL is used mainly for learning purposes of IPsec which provide a way to look at the data in Wireshark. And this is the purpose of the post to see how the tunnel and transport mode works for IPSec and GRE with IPSec, As a an official Cisco Instructor for many years, it was many helpful for participants.

Third, the crypto key is a mistake when writing the post (corrected), it's just a human error when writing dont worry.

So your post contains false informations.

0 Helpful
steff
Level 1
Level 1
‎10-08-2024 07:56 AM
‎10-08-2024 07:56 AM

Then you should just claim it education wise as "ESP encapsulation and Wireshark decoding". You cannot decrypt something whilst '...not applying encryption' (RFC 2410)." Therefore nobody agrees on NULL is an encryption method.

Glad you mentioned RFC 2410, its a humorous RFC which is common referred as a joke and has his place in the RFC April book , wiki etc. If it meant as or not we cannot blame them as this RFC is already 26 years old. They clearly focus on "authentication and integrity without confidentiality" and you probably misunderstood that and not the best resource where a official Cisco Instructor should referring to. 

 

Third, the crypto key

It's still an authentication key and not crypto! I'm not judging about upper or lower case, it's about the fact that entering the authentication key  _does_nothing_ at all in the shown circumstances.

0 Helpful
Meddane
VIP
VIP
‎10-08-2024 08:35 AM
‎10-08-2024 08:35 AM

@steff  Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents