06-25-2021 02:14 PM
Hey Everyone,
I have a customer with who I am troubleshooting a S2S IKEV2 tunnel. He sent me a capture so I can take a look at the tunnel negotiation (debug isn't showing a an explicit reason for failure - Internal error, Unknown and the like) and we fixed a problem in the initial INIT messages. However now it fails at the AUTH message exchange. As that part of the communication is encrypted I asked him to send me a capture with the 'include-decrypted' option enabled, however when I load the file in Wireshark in still says the payload is encrypted. Is this a problem with Wireshark or something else ?
Thank you for the help in advance.
Solved! Go to Solution.
06-26-2021 11:05 AM
Ah, now I see what you mean (took some time ...
06-26-2021 02:56 AM
This is how IKE/IPsec is designed to work. If you could see the decrypted traffic in Wireshark, it would actually be useless as a VPN.
In the SA_AUTH phase the traffic is already secured with the negotiated Diffie-Hellman secret. Here you find some more information on this exchange:
06-26-2021 04:14 AM
Sound logical. But then what does the 'include-decrypted' option in the capture actually do, if not decrypt the entire packet?
06-26-2021 08:51 AM
That option is to capture the user-traffic that got decrypted by the firewall. When the ASA is the VPN-termination-point, it has the keys to decrypt the data and this data can be shown in the capture.
06-26-2021 09:49 AM
That's my point. The data is still shown as an encrypted payload when I view the capture, even though the 'include-decrypted' command was used.
06-26-2021 11:05 AM
Ah, now I see what you mean (took some time ...
06-26-2021 01:22 PM
Gotcha. Thank you. However is there a way to decrypt it in Wireshark. I know there is a decryption table, however it requires the SK_ei, SK_er,SK_ai, SK_ar values. I know they show in the debugs for some vendors like Palo alto. Is this possible on the ASA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide