I have a customer with who I am troubleshooting a S2S IKEV2 tunnel. He sent me a capture so I can take a look at the tunnel negotiation (debug isn't showing a an explicit reason for failure - Internal error, Unknown and the like) and we fixed a problem in the initial INIT messages. However now it fails at the AUTH message exchange. As that part of the communication is encrypted I asked him to send me a capture with the 'include-decrypted' option enabled, however when I load the file in Wireshark in still says the payload is encrypted. Is this a problem with Wireshark or something else ?
Thank you for the help in advance.
Solved! Go to Solution.
This is how IKE/IPsec is designed to work. If you could see the decrypted traffic in Wireshark, it would actually be useless as a VPN.
In the SA_AUTH phase the traffic is already secured with the negotiated Diffie-Hellman secret. Here you find some more information on this exchange: