Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
702
Views
0
Helpful
2
Replies

Any way to not encrypt the ESP packets for learning purpose?

Difan Zhao
Level 5
Level 5

‎04-04-2011 12:16 PM

Hi experts,

I really want to see how ESP wraps the IP packet in the VPN tunnel. I did find many websites which describe how this is done but I still prefer to capture it with wireshark and analyze it myself... It will also works if the Wireshark can decrypt it somehow. I do know that the key for encrypting the ESP packet is dynamically negotiated and will eventually expire. However I'm wondering if the Wireshark is smart enough to figure out the key by providing it the ISAKMP preshared key.

Here is my config. Since it's for learning purpose I made it as simple as possible.

crypto isakmp policy 10
encr aes
authentication pre-share
group 5

!
crypto isakmp key 123456 address 2.2.2.1

!
crypto ipsec transform-set SHA-AES esp-aes esp-sha-hmac
mode transport
!
crypto map Crypto_Map 1 ipsec-isakmp
set peer 2.2.2.1
set transform-set SHA-AES
match address ACL_VPN
!
ip access-list extended ACL_VPN
permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

!

interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
...
crypto map Crypto_Map
!

Thanks!

Difan

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎04-04-2011 02:12 PM

Difan,

Check with:

crypto ipsec transform-set TEST esp-null

What is it that you want to see?

Also please be aware that PSK is used to AUTHENTICATION not for encryption.

Marcin

0 Helpful

Difan Zhao
Level 5
Level 5
In response to Marcin Latosiewicz

‎04-04-2011 03:19 PM

Hi Marcin,

Thanks for the reply! I tried the command but I got this:

crypto ipsec transform-set TEST esp-null

ESP: NULL cipher requires ESP authenticator

At this moment I have one question. I want to know more about the ESP "Transport" mode and "Tunnel" mode. In my test lab I have three routers. R2 is to simulate Internet. It's only configured with two interfaces with IP 1.1.1.2 and 2.2.2.2.

R1 and R3 are configured to run VPN. R1 and R3 have internal interfaces with Private IP addresses 10.0.0.1/24 and 172.16.0.1/16 respectively.

I ping from 10.0.0.1/24 to 172.16.0.1/16. The tunnel is built between 1.1.1.1 to 2.2.2.1. The ping works. However I used Transport mode. Transport mode shouldn't change the IP addresses in the IP header. So in this scenario the traffic passing through the Internet or R2 should still be from 10.0.0.1 -> 172.16.0.1 (I don't have NAT configured).

So the Transport mode shouldn't work because it doesn't change the IP addresses in the IP header. However it worked... In my captures the IP is still changed to the Public IP addresses 1.1.1.1 and 2.2.2.1.

So this is what confuses me so far. That's why I want to "open" the ESP packet and look inside...

thanks,

0 Helpful
Customers Also Viewed These Support Documents