Decrypt site to site vpn using Wireshark

cheese-head · ‎07-01-2021

Hi,

I have a site to site vpn between a Cisco ASA (with FTD code) and a Cisco 2800 series router. We recently moved from a 1 Gig link to a 10 Gig link. Since then our VPN would establish however our RDP would work for a couple of min and would drop the connection.

I would like to decrypt the ESP packets using Wireshark. Very similar to the link attached.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD48280

It is my understanding that you need the following values to decrypt the packets:

- Protocol: Choose the IP protocol version; eg. IPv4.

- Src IP:

- Dst IP:

- SPI: local SPI;

- Encryption:

- Encryption Key:

- Authentication:

- Authentication Key:

I am able to locate all the values however, I am unable to identify the encryption and authentication keys:

Can someone please help me with what debug commands I should run to get those values?

Thanks in advance!

Sheraz.Salim · ‎07-01-2021

I never try this. would be interesting to know if you are successful to decrypted it.

the command you needs are. Beware there will be a lot of traffic generated so either you log the ssh session than you later can go though the file. also make sure once you get all the debug. give a command "undebug all"

debug crypto condition peer x.x.x.x
debug crypto ikev1 

if running IKEV2 Than

debug crypto ikev2 platform 255
debug crypto ikev2 protocol 255
debug crypto ipsec 127

please do not forget to rate.

Karsten Iwen · ‎07-02-2021

That will not work as expected. The Wireshark option is only useful when then IPsec-VPN is configured as "IPSec-manual" without the use of IKE. In this configuration the encryption- and authentication-keys are directly added to the config and this mode is *never* used in production.

I would start with a capture of the traffic leaving the VPN-device into the local network and analyze it there.