cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
994
Views
5
Helpful
6
Replies

Viewing decrypted capture with Wireshark

GVI_02
Beginner
Beginner

Hey Everyone,

 

I have a customer with who I am troubleshooting a S2S IKEV2 tunnel. He sent me a capture so I can take a look at the tunnel negotiation (debug isn't showing a an explicit reason for failure - Internal error, Unknown and the like) and we fixed a problem in the initial INIT messages. However now it fails at the AUTH message exchange. As that part of the communication is encrypted I asked him to send me a capture with the 'include-decrypted' option enabled, however when I load the file in Wireshark in still says the payload is encrypted. Is this a problem with Wireshark or something else ?

 

Thank you for the help in advance.

1 Accepted Solution

Accepted Solutions

Ah, now I see what you mean (took some time ... ). I understand the "include-decrypted" option to be only valid for decrypted user-payload of IPsec and TLS connections. But you are looking at the IKE negotiation-traffic and that should not be handled by this option.

View solution in original post

6 Replies 6

Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor

This is how IKE/IPsec is designed to work. If you could see the decrypted traffic in Wireshark, it would actually be useless as a VPN.

In the SA_AUTH phase the traffic is already secured with the negotiated Diffie-Hellman secret. Here you find some more information on this exchange:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/115936-understanding-ikev2-packet-exch-debug.html

Sound logical. But then what does the 'include-decrypted' option in the capture actually do, if not decrypt the entire packet?

That option is to capture the user-traffic that got decrypted by the firewall. When the ASA is the VPN-termination-point, it has the keys to decrypt the data and this data can be shown in the capture.

That's my point. The data is still shown as an encrypted payload when I view the capture, even though the 'include-decrypted' command was used.

Ah, now I see what you mean (took some time ... ). I understand the "include-decrypted" option to be only valid for decrypted user-payload of IPsec and TLS connections. But you are looking at the IKE negotiation-traffic and that should not be handled by this option.

Gotcha. Thank you. However is there a way to decrypt it in Wireshark. I know there is a decryption table, however it requires the SK_ei, SK_er,SK_ai, SK_ar values. I know they show in the debugs for some vendors like Palo alto. Is this possible on the ASA?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers