[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

Kevin Wilson wkevils at gmail.com
Fri Nov 12 07:14:58 EST 2010

I want to be able to decrypt ESP packets which are sent with openswan IPsec
client in tunnel mode with wireshark.
In wireshark, we have under Edit->Preferences->Protocols
the following fields:
 Attempt to detect/decode encrypted ESP payloads
Encryption Algorithm #1

where you can choose from the following list:
	"TripleDES-CBC [RFC2451]",
	"AES-CBC [RFC3602]",
	"AES-CTR [RFC3686]",
	"DES-CBC [RFC2405]",
	"CAST5-CBC [RFC2144]",

Encryption Algorithm #2. (with same options)

Encryption key #1
Encryption key #2
	  (and some more fields)
What should I add in /etc/ipsec.conf so that I can use wireshark to sniff
traffic ? I tried some entries  (like ike=null, phase2alg=null), but the
ESP packet is still showed as decrypted in the sniffer. I do know of course
the keys on both sides (these are preshared keys).
It would be helpful if anybody which tried sniffing and decrypting ESP packets
could comment or give some info about it.

More information about the Users mailing list