How to decrypt the ESP traffic, which is traffic that flows across VPN, when it is established.
- The traffic that flows across a site to site route based VPN between two SRX devices will be decrypted.
- For decryption, ike traceoptions will have to be enabled with the level 8 and the ike flag.
- The information from traceoptions will be used to collect the Authentication and Encryption keys, along with the SPI values; which can be easily obtained from the CLI.
- These values will then be plugged in with Wireshark to decrypt the traffic.
Configuration:
Configure a simple site to site route based VPN:
[edit] root@210-hm-4# show security ike traceoptions { file iketrace size 10m files 10 world-readable; flag all; level 15; } proposal ikep { authentication-method pre-shared-keys; dh-group group2; authentication-algorithm sha1; encryption-algorithm 3des-cbc; lifetime-seconds 3600; } policy ikep { mode main; proposals ikep; pre-shared-key ascii-text "$9$LYn7dwoJDmfzYgfz36u0LxNdYgaZUH.P"; ## SECRET-DATA } gateway ikeg { ike-policy ikep; address 192.168.59.2; dead-peer-detection { interval 10; threshold 5; } external-interface fe-0/0/3.0; } [edit] root@210-hm-4# show security ipsec | no-more proposal ipsecp { protocol esp; authentication-algorithm hmac-sha1-96; encryption-algorithm 3des-cbc; } policy ipsecp { perfect-forward-secrecy { keys group2; } proposals ipsecp; } vpn vpn1 { bind-interface st0.5; ike { gateway ikeg; proxy-identity { local 192.168.61.0/24; remote 192.168.60.0/24; service any; } ipsec-policy ipsecp; } establish-tunnels immediately; }
As you can see in the above configuration, ensure that traceoptions are enabled with level 8 and the ike flag ike, as these are required to collect information to decrypt ESP traffic. Verify if the VPN is up by checking the status of IPsec security associations; as shown below:
[edit] root@210-hm-4# run show security ipsec security-associations Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <131073 192.168.59.2 500 ESP:3des/sha1 9557eff6 1456/ unlim - root >131073 192.168.59.2 500 ESP:3des/sha1 d6c91cfb 1456/ unlim - root
Make a note of both the SPI values (that is 9557eff6 and d6c1cfb), as they are required for decryption later.
Now, check the ike traceoptions logs:
[edit] root@210-hm-4# run show log iketrace | match key.out Aug 9 23:51:22 192.168.59.1:500 (Initiator) <-> 192.168.59.2:500 { e1f7608d b3e95b36 - e1c2681d 82066422 [0] / 0x400151c2 } QM; key.out[44] = 0x702d4807 8c72abfe c6ef137e 36da5fa6 2624a281 bdecb858 a3f8694c 181555d5 5b7dae56 0fb1977f 3b6c95ea Aug 9 23:51:22 192.168.59.1:500 (Initiator) <-> 192.168.59.2:500 { e1f7608d b3e95b36 - e1c2681d 82066422 [0] / 0x400151c2 } QM; key.out[44] = 0x782d6551 d73da689 3352ea01 b49b8bea 07259a36 e26eebd9 3cd7c226 996f93d7 b8712cf1 2064990b 36acfa43
There are two encryption keys for each direction; that is inbound and outbound traffic. Also, be aware that the above output contains both the Encryption and Authentication keys. Here, 3DES-CBC is being used; so the encryption key is 192 bits (or first 48 hexadecimal characters) in length and the remaining portion is the authentication key.
In this case it is:
- Encryption Key: 0x782d6551d73da6893352ea01b49b8bea07259a36e26eebd9.
- Authentication Key: 0x3cd7c226996f93d7b8712cf12064990b36acfa43.
Here, 0x is also included in the keys, as Wireshark (1.0.8rc2) requires the keys, which are used for ESP decryption, to be entered in such a format. Now pass some traffic across the VPN and take the packet capture.
Open the packet capture in Wireshark and go to Edit > Preferences > Protocols > ESP:
- Select the Attempt to decode/encode encrypted ESP payloads check box.
- Click Edit.
- Click New
- Create two SAs; one in the inbound direction and one in the outbound direction, with the previously collected details.
In this case, type the following data:
- Outbound traffic: 192.168.59.1 –> 192.168.59.2
- Encryption Key: 0x782d6551d73da6893352ea01b49b8bea07259a36e26eebd9
- Authentication Key: 0x3cd7c226996f93d7b8712cf12064990b36acfa43
- SPI: 0xd6c91cfb
- Inbound traffic: 192.168.59.2 –> 192.168.59.1
- Encryption Key: 0x702d48078c72abfec6ef137e36da5fa62624a281bdecb858
- Authentication Key: 0xa3f8694c181555d55b7dae560fb1977f3b6c95ea
- SPI: 0x9557eff6
Now apply all the changes and you should now see the decrypted ESP payloads.
You can download the packet capture, which was taken via the above example, and try to decode the ESP traffic by using the above information.
NOTE:
Please note that there is a high chance of High Control Plane CPU when running ike traceoptions with flag all level 15 . In case of multiple VPN peers, please take due care.