Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
5
Helpful
6
Replies

Viewing decrypted capture with Wireshark

Go to solution
GVI_02
Level 1
Level 1

‎06-25-2021 02:14 PM

Hey Everyone,

 

I have a customer with who I am troubleshooting a S2S IKEV2 tunnel. He sent me a capture so I can take a look at the tunnel negotiation (debug isn't showing a an explicit reason for failure - Internal error, Unknown and the like) and we fixed a problem in the initial INIT messages. However now it fails at the AUTH message exchange. As that part of the communication is encrypted I asked him to send me a capture with the 'include-decrypted' option enabled, however when I load the file in Wireshark in still says the payload is encrypted. Is this a problem with Wireshark or something else ?

 

Thank you for the help in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to GVI_02

‎06-26-2021 11:05 AM

Ah, now I see what you mean (took some time ... ). I understand the "include-decrypted" option to be only valid for decrypted user-payload of IPsec and TLS connections. But you are looking at the IKE negotiation-traffic and that should not be handled by this option.

View solution in original post

6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎06-26-2021 02:56 AM

This is how IKE/IPsec is designed to work. If you could see the decrypted traffic in Wireshark, it would actually be useless as a VPN.

In the SA_AUTH phase the traffic is already secured with the negotiated Diffie-Hellman secret. Here you find some more information on this exchange:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/115936-understanding-ikev2-packet-exch-debug.html

0 Helpful

Go to solution
GVI_02
Level 1
Level 1
In response to Karsten Iwen

‎06-26-2021 04:14 AM

Sound logical. But then what does the 'include-decrypted' option in the capture actually do, if not decrypt the entire packet?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to GVI_02

‎06-26-2021 08:51 AM

That option is to capture the user-traffic that got decrypted by the firewall. When the ASA is the VPN-termination-point, it has the keys to decrypt the data and this data can be shown in the capture.

0 Helpful

Go to solution
GVI_02
Level 1
Level 1
In response to Karsten Iwen

‎06-26-2021 09:49 AM

That's my point. The data is still shown as an encrypted payload when I view the capture, even though the 'include-decrypted' command was used.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to GVI_02

‎06-26-2021 11:05 AM

Ah, now I see what you mean (took some time ... ). I understand the "include-decrypted" option to be only valid for decrypted user-payload of IPsec and TLS connections. But you are looking at the IKE negotiation-traffic and that should not be handled by this option.

Go to solution
GVI_02
Level 1
Level 1
In response to Karsten Iwen

‎06-26-2021 01:22 PM

Gotcha. Thank you. However is there a way to decrypt it in Wireshark. I know there is a decryption table, however it requires the SK_ei, SK_er,SK_ai, SK_ar values. I know they show in the debugs for some vendors like Palo alto. Is this possible on the ASA?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents