How to analyze IPsec Traffic with Wireshark


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

Introduction Site to Site IPsec Traffic

Internet Protocol Security (IPsec) is a set of protocols that enable us to authenticate and encrypt traffic between two parties. Protocols such as Internet Security Association and Key Management Protocol (ISAKMP), Encapsulating Security Payload (ESP) and Authentication Header (AH) are used to protect the data.

ISAKMP provides a framework for authentication, key management and supports many key exchange protocols like Oakley, Diffie-Hellman, the enhanced Diffie-Hellman and the RSA-based key exchange. AH protocol provides data origin authentication, data integrity, and replay protection. However, AH does not provide data confidentiality, which means that all of our data is sent in the clear text. Unlike AH, ESP protocol provides data confidentiality, and also optionally provides data origin authentication, data integrity checking, and replay protection. The difference between ESP and the Authentication Header (AH) protocol is that ESP provides encryption, while both protocols provide authentication, integrity checking, and replay protection.

In this article, we will create a site to site IPsec topology with using Cisco routers. Since we will not decrypt the tunneled data in this article, we will use AH to see the tunneled data in clear text.

 

The following topology shows that Site1 and Site2 exchange data. We will use IPsec to protect the data between IPsec-Gw-1 and IPsec-Gw-2.

How to analyze IPsec Traffic with Wireshark

 

The IPsec standards define two distinct modes of IPsec operation, transport mode and tunnel mode.

 

Transport mode

IPsec Transport mode is used for end to end communication. This mode is usually used between client and server architecture. Beside that IPSec transport mode can be used when another tunneling protocol (like GRE) is used to first encapsulate the IP data packet, then IPSec is used to protect the GRE tunnel packets. Following figure shows packet format for ESP when transport mode is used.

How to analyze IPsec Traffic with Wireshark

 

Tunnel mode

Tunnel mode is most commonly used between IPsec gateways.  The traffic between gateways will be protected. In tunnel mode, the entire IP packet is encrypted and authenticated. Following figure shows packet format for ESP when tunnel mode is used.

How to analyze IPsec Traffic with Wireshark

 

In this article, we will use tunnel mode. Before analyzing the packets with Wireshark, we need to configure the routers like below.

IPsec ISAKMP negotiations are made in two phases, Main Mode (Phase1) and Quick Mode (Phase2). Main mode (Phase1) authenticates the peers and is partially encrypted. Quick mode (Phase 2) negotiates the algorithms and agree on which traffic will be sent across the IPsec tunnel.

 

Configuration for Site1

!
hostname Site1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.1.2 255.255.255.0
 speed auto
 duplex auto
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1 name Default_Route
!

 

Configuration for IPsec-GW-1

!
hostname IPsec-GW-1
!
crypto isakmp policy 1
 encr aes
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key celaldogan address 192.168.3.2
!
!
crypto ipsec transform-set VPN_TS ah-sha-hmac
 mode transport
!
!
!
crypto map VPN_CMAP 10 ipsec-isakmp
 set peer 192.168.3.2
 set transform-set VPN_TS
 match address VPN_TRAFFIC
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.3.1 255.255.255.0
 duplex full
 crypto map VPN_CMAP
!
interface FastEthernet1/0
 ip address 192.168.1.1 255.255.255.0
 speed auto
 duplex auto
!
ip route 0.0.0.0 0.0.0.0 192.168.3.2 name Default_route
ip route 1.1.1.1 255.255.255.255 192.168.1.2 name Route_to_1.1.1.1
ip route 2.2.2.2 255.255.255.255 192.168.3.2 name Route_to_2.2.2.2
!
ip access-list extended VPN_TRAFFIC
 permit ip host 1.1.1.1 host 2.2.2.2
!

 

Configuration for IPsec-GW-2

!
hostname IPsec-GW-2
!
!
crypto isakmp policy 1
 encr aes
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key celaldogan address 192.168.3.1
!
!
crypto ipsec transform-set VPN_TS ah-sha-hmac
 mode transport
!
!
!
crypto map VPN_CMAP 10 ipsec-isakmp
 set peer 192.168.3.1
 set transform-set VPN_TS
 match address VPN_TRAFFIC
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.3.2 255.255.255.0
 duplex full
 crypto map VPN_CMAP
!
interface FastEthernet1/0
 ip address 192.168.2.1 255.255.255.0
 speed auto
 duplex auto
 crypto map VPN_CMAP
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.3.1 name Default_Route
ip route 1.1.1.1 255.255.255.255 192.168.3.1 name Route_to_1.1.1.1
ip route 2.2.2.2 255.255.255.255 192.168.2.2 name Route_to_2.2.2.2
!
ip access-list extended VPN_TRAFFIC
 permit ip host 2.2.2.2 host 1.1.1.1
!

 

Configuration for Site2

!
hostname Site2
!
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet1/0
 ip address 192.168.2.2 255.255.255.0
 speed auto
 duplex auto
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.2.1 name Default_Route
!
!

 

Analyzing IPsec Packets with Wireshark

We will start a ping request from Site1 and capture packets between IPsec gateways.

How to analyze IPsec Traffic with Wireshark

 

Following screenshot shows the packets I captured.

How to analyze IPsec Traffic with Wireshark

 

Packet number 1:

It is the first packet sent by the initiator (IPsec-GW-1). It contains proposal for the security association. We defined the proposals in “crypto isakmp policy 1” section. As seen below, the initiator negotiates for:

  • Encryption Algorithm as AES-CBC
  • AES-CBC key length as 128 bits,
  • Hash Algorithm as SHA2-256,
  • Diffie Helman Group as Group 2 (Alternate 1024-bit MODP group),
  • Authentication Method as Pre-shared key,
  • Life Type of the Phase 1 Tunnel as Seconds,
  • And Life Duration as 86400 seconds.

How to analyze IPsec Traffic with Wireshark

 

Packet number 2:

The responder (IPsec-GW-2) sends a packet with its proposals.

How to analyze IPsec Traffic with Wireshark

 

Packet number 3:

This packet contains payload such as:

  • Key Exchange is used to send Diffie Helman public key.
  • Nonce is a randomly generated number and used to prevent replay attacks from generating bogus SAs.
  • NAT-D is used to notice if a NAT device exists between gateways.

How to analyze IPsec Traffic with Wireshark

 

Packet number 4:

The responder sends its payload such as Key Exchange, Nonce and NAT-D in return.

How to analyze IPsec Traffic with Wireshark

 

Packets number 5-6:

At this point, the traffic between both parties will be encrypted. These packets are used for identification and authentication of each peer.

How to analyze IPsec Traffic with Wireshark

 

Packets number 7-9:

These packets are fully encrypted and exchanged to finish the Quick Mode. The packets contain the security association for IPsec tunnel protected by ESP or AH. It negotiates the parameters defined in the transform set configuration and mode of the tunnel (transport mode or tunnel mode).

How to analyze IPsec Traffic with Wireshark

 

Packets number 10-17:

These packets contain the actual data tunneled by IPsec. Since we used AH for demonstration purpose, we can see the data in clear text. If we change the AH to ESP in the transform set configuration, the data will be encrypted.  As seen below the ICMP packet from 1.1.1.1 to 2.2.2.2 encapsulated with AH and tunneled through IPsec-GW-1 (192.168.3.1) to IPsec-GW-2 (192.168.3.2).

How to analyze IPsec Traffic with Wireshark

 

Final thoughts

IPsec is a fairly complex framework that secures communication between parties. It can be used to protect one ore more data flows between peers. IPsec enables data confidentiality, integrity, origin authentication and anti-replay.

 

References

https://www.oreilly.com/library/view/the-ims-ip/9780470019061/9780470019061_internet_security_association_and_key_ma.html
https://datatracker.ietf.org/doc/html/rfc2408
https://www.ibm.com/support/pages/what-difference-between-ah-and-esp-protocols-ipsec
https://www.ibm.com/docs/en/i/7.1?topic=protocols-authentication-header
https://docs.oracle.com/cd/E23824_01/html/821-1453/ipsec-ov-13.html
https://www.firewall.cx/networking-topics/protocols/870-ipsec-modes.html
https://www.rapid7.com/blog/post/2017/02/13/basics-of-ipsec/
https://celaldogan2010.medium.com/decrypting-ipsec-protocols-isakmp-and-esp-with-wireshark-d484a5a93991
https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment