How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark


Wireshark

Author: Celal Dogan
Reviewer: Deepak Prasad

In this article, we will focus on decrypting IPsec traffic between a Cisco router and a Strongswan IPsec VPN solution. Most of network vendors do not provide materials for decrypting IPsec protocols. Unlike other vendors, Strongswan, which is a multiplatform IPsec implementation, supplies these materials.

We will implement the topology below. The Strongswan and the Cisco router will act as IPsec gateways. The traffic between Site1 and Site2 will be encrypted by IPsec.

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

Configuring Strongswan

We will create a simple IPsec configuration on the Strongswan.

Step-1:  Install Strongswan with the command below.

apt install strongswan

Step-2: Add two network adapters eth1, eth2 and configure their ip addresses like below.

┌──(root💀kali)-[/home/kali]
└─# ifconfig eth1 192.168.20.1 netmask 255.255.255.0 up

┌──(root💀kali)-[/home/kali]
└─# ifconfig eth2 192.168.10.2 netmask 255.255.255.0 up

 

Step-3: Enable routing and add the Site1 and Site2 routes into the routing table with commands below and then verify them.

┌──(root💀kali)-[/home/kali]
└─# echo 1 > /proc/sys/net/ipv4/ip_forward

┌──(root💀kali)-[/home/kali]
└─# route add -net 2.2.2.2 netmask 255.255.255.255 gw 192.168.20.2

┌──(root💀kali)-[/home/kali]
└─# route add -net 1.1.1.1 netmask 255.255.255.255 gw 192.168.10.1

┌──(root💀kali)-[/home/kali]
└─# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
1.1.1.1         192.168.10.1    255.255.255.255 UGH   0      0        0 eth2
2.2.2.2         192.168.20.2    255.255.255.255 UGH   0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.10.0    0.0.0.0         255.255.255.0   U     0      0        0 eth2
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1

 

Step-4: Open /etc/ipsec.conf file which stores the configuration (policies) for ISAKMP and ESP. Beside that do not forget enabling IKE1 debugging, which will provide Initiator COOKIE (Initiator SPI) and encryption key. We will use these parameters to decrypt ISAKMP tunnel. The traffic between 1.1.1.1 and 2.2.2.2 hosts will be encrypted.

config setup
         strictcrlpolicy=yes
         uniqueids = yes
         charondebug="ike 1"
conn %default
conn Strongswan-to-Cisco
       left=192.168.20.1
       leftsubnet=1.1.1.1/32
       right=192.168.20.2
       rightsubnet=2.2.2.2/32
       authby=secret
       keyexchange=ikev1
       ike=aes-sha2_256-modp1024!
       esp=aes256-sha2_256!
       lifetime=8h
       ikelifetime=1h
       auto=start

 

Step-5: Add the pre-shared key and IPsec gateways to /etc/ipsec.secrets file.

192.168.20.1 192.168.20.2 : PSK "celaldogan"

 

Step-6: After basic configuration and enabling debugging, we need to set the log file path, configuring /etc/strongswan.conf like below. All the debug logs, including ISAKMP encryption key will be stored in the charon.log file.

$ cat /etc/strongswan.conf
charon {
        load_modular = yes
        filelog {
        charon {
           path = /home/kali/charon.log
           time_format = %b %e %T
           append = no
           ike_name = yes
           default = 4
           flush_line = yes
       }
        stderr {
            ike = 1
            ike = 2
            ike = 4
            knl = 3
        }
        }
      plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

 

Step-7: Start Strongswan with the command below.

┌──(root💀kali)-[/home/kali]

└─# systemctl start ipsec

 

Configuring the sites and the other IPsec peer

Step-1: Configuring Site1 is pretty straightforward. It does not require a complex design except assigning IP address to 2 interfaces and inserting the route to Site2 (2.2.2.2).

!
hostname Site1
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 speed auto
 duplex auto
!
ip route 2.2.2.2 255.255.255.255 192.168.10.2 name Route-->2.2.2.2
!

 

Step-2: Configuring the Site2 is almost identical to Site1. Following shows the configuration.

!
hostname Site2
!
 
!
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 192.168.30.1 255.255.255.0
 speed auto
 duplex auto
!
ip route 1.1.1.1 255.255.255.255 192.168.30.2 name Route-->1.1.1.1

 

Step-3: Configuring IPsec_Gateway is more complex compared to Site1 and Site2. First thing first, we will assign IP addresses to the interfaces and add the relevant static routes to the routing table. After achieving basic connectivity, we need to define ISAKMP proposals (SA) with “crypto isakmp policy”. These parameters will be offered to the other IPsec peer in IPsec Main Mode (Phase1). We also define a pre-shared key for authentication with “crypto isakmp key...” command. After passing Main Mode, the peer will propose its IPsec Security Association (SA) to the other peer. We specify those parameters with a transformset. Next, we define an ACL to select the interesting traffic, which will be encrypted. Last but not least, we associate these configurations under a crypto map and apply it to the outgoing interface.

!
hostname IPSec_Gateway
!
!
crypto isakmp policy 10
 encr aes
 hash sha256
 authentication pre-share
 group 2
crypto isakmp key celaldogan address 192.168.20.1
!
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac
 mode tunnel
!
!
!
crypto map VPN_CMAP 10 ipsec-isakmp
 set peer 192.168.20.1
 set transform-set VPN_TS
 match address VPN_TRAFFIC
!
!
interface FastEthernet0/0
 ip address 192.168.20.2 255.255.255.0
 speed auto
 duplex auto
 crypto map VPN_CMAP
!
interface FastEthernet0/1
 ip address 192.168.30.2 255.255.255.0
 speed auto
 duplex auto
!
ip route 1.1.1.1 255.255.255.255 192.168.20.1 name Route-->1.1.1.1
ip route 2.2.2.2 255.255.255.255 192.168.30.1 name Route-->2.2.2.2
!
ip access-list extended VPN_TRAFFIC
 permit ip host 2.2.2.2 host 1.1.1.1
!

 

Extracting decryption materials for ISAKMP protocol from charon.log file

Step-1: The debug logs are stored in charon.log file. We need two parameters for decryption: Initiator’s COOKIE (SPI) and Encryption Key. Following screenshots show how to find the parameters.

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark 

After applying this command, it will bring the Initiator’s COOKIE (SPI).

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

Open the log file with your preferred text editor and find “encryption key”. As seen below, my encryption key is 16 bytes. Take a note of both of the parameters and open your trace file with Wireshark.

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

Step-2: At this point, we have the information we need, now it is time to feed Wireshark with that information from Edit → Preferences → Protocols → ISAKMP → IKEv1 Decryption Table: as shown below.

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

Step-3: Click OK buttons to decrypt the ISAKMP traffic. Following screenshots show before and after decryption for one packet in the Quick Mode (Phase2). In the Phase2, all data is encrypted between peers. After decrypting the traffic, we can see the packet carries the IPsec SA proposal.

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

Obtaining decryption materials for ESP protocol

ESP is used to encrypt and authenticate data packets. We pinged from Site2 to Site1 (2.2.2.2 → 1.1.1.1) to create some traffic between IPsec peers. That traffic will be decrypted with correct IPsec key materials.

Step-1: Unlike ISAKMP ICOOKIE and encryption key, the keys used for ESP tunnel are not stored in the charon.log file. We will obtain that information with applying “ip xfrm state” command as below. SPI, authentication and encryption keys are different for each direction.

┌──(root💀kali)-[/home/kali]
└─# ip xfrm state
src 192.168.20.1 dst 192.168.20.2
        proto esp spi 0x37f519a9 reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        auth-trunc hmac(sha256) 0x15bb2bc4d1e08c3d65283550c7d9da1cd64ad99ff6e7110a84e6fb514391e3bd 128
        enc cbc(aes) 0x65f67f38e75083c40995f34a09dc2dbbb882600ee70d4e1b8526527d805a44d4
        anti-replay context: seq 0x0, oseq 0x4, bitmap 0x00000000
src 192.168.20.2 dst 192.168.20.1
        proto esp spi 0xc9eb5901 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha256) 0x29e423a1091f4a32f04b7e93a0fc7737b1f62564b3c62a932a389f7c9215f57d 128
        enc cbc(aes) 0xae8aa15b6d514931a3db6a8a9354d2bb6c8b3e9ea1fbce813ca0276adab9888f
        anti-replay context: seq 0x4, oseq 0x0, bitmap 0x0000000f

 

Step-2: Open Edit → Preferences → Protocols → ESP menu like below. After filling the menu correctly, Wireshark will decrypt the ESP payload in clear text.

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

Step-3: After feeding Wireshark with correct decryption materials, it deciphers and shows the actual data in clear text. Following screenshots show before and after decryption.

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

How to decrypt IPSec Packets (ISAKMP and ESP) - Wireshark

 

Final thoughts

Troubleshooting IPsec issues is not easy. Beside debugging, decrypting ISAKMP and ESP can help to identify and fix the issues.

 

References

https://www.blackhole-networks.com/IKE_Modes/ikev1-quick.html
https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SitetoSiteVPN_AdminGuide/Topics-VPNSG/IPsec-and-IKE.htm?TocPath=IPsec%20and%20IKE%7C_____0
https://support.sophos.com/support/s/article/KB-000034339?language=en_US
https://www.xinux.net/index.php/Strongswan_loglevel
https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets/

 

Celal Dogan

Celal Dogan

He is proficient in System Administration, Python, Computer Network, Network Engineering, PHP, Web Testing, Penetration Testing, Wireshark, RADIUS, Cisco Router, TCP/IP, Kali Linux, OSPF, NPS, and Multiprotocol BGP. You can connect with him on his LinkedIn Profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment