How to decrypt VPN encrypted traffic (ESP traffic for the Auto-IKE VPN tunnel)

How to decrypt the ESP traffic, which is traffic that flows across VPN, when it is established.

  • The traffic that flows across a site to site route based VPN between two SRX devices will be decrypted.
  • For decryption, ike traceoptions will have to be enabled with the level 8 and the ike flag.
  • The information from traceoptions will be used to collect the Authentication and Encryption keys, along with the SPI values; which can be easily obtained from the CLI.
  • These values will then be plugged in with Wireshark to decrypt the traffic.

Configuration:

Configure a simple site to site route based VPN:

As you can see in the above configuration, ensure that traceoptions are enabled with level 8 and the ike flag ike, as these are required to collect information to decrypt ESP traffic. Verify if the VPN is up by checking the status of IPsec security associations; as shown below:

Make a note of both the SPI values (that is 9557eff6 and d6c1cfb), as they are required for decryption later.

Now, check the ike traceoptions logs:

There are two encryption keys for each direction; that is inbound and outbound traffic. Also, be aware that the above output contains both the Encryption and Authentication keys. Here, 3DES-CBC is being used; so the encryption key is 192 bits (or first 48 hexadecimal characters) in length and the remaining portion is the authentication key.

In this case it is:

  • Encryption Key: 0x782d6551d73da6893352ea01b49b8bea07259a36e26eebd9.
  • Authentication Key: 0x3cd7c226996f93d7b8712cf12064990b36acfa43.

Here, 0x is also included in the keys, as Wireshark (1.0.8rc2) requires the keys, which are used for ESP decryption, to be entered in such a format. Now pass some traffic across the VPN and take the packet capture.

Open the packet capture in Wireshark and go to Edit > Preferences > Protocols > ESP:

  • Select the Attempt to decode/encode encrypted ESP payloads check box.
  • Click Edit.
  • Click New
  • Create two SAs; one in the inbound direction and one in the outbound direction, with the previously collected details.

In this case, type the following data:

  • Outbound traffic: 192.168.59.1 –> 192.168.59.2
  • Encryption Key: 0x782d6551d73da6893352ea01b49b8bea07259a36e26eebd9
  • Authentication Key: 0x3cd7c226996f93d7b8712cf12064990b36acfa43
  • SPI: 0xd6c91cfb
  • Inbound traffic: 192.168.59.2 –> 192.168.59.1
  • Encryption Key: 0x702d48078c72abfec6ef137e36da5fa62624a281bdecb858
  • Authentication Key: 0xa3f8694c181555d55b7dae560fb1977f3b6c95ea
  • SPI: 0x9557eff6

Now apply all the changes and you should now see the decrypted ESP payloads.

You can download the packet capture, which was taken via the above example, and try to decode the ESP traffic by using the above information.

NOTE:
Please note that there is a high chance of High Control Plane CPU when running ike traceoptions with flag all level 15 . In case of multiple VPN peers, please take due care.

About the author

Prasanna

Leave a Comment