[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

Kevin Wilson wkevils at gmail.com
Fri Nov 12 12:51:13 EST 2010


Hi,
Thanks a lot for your answer. I will try it.
I have a question and I hope it will not sound too silly as
I do not have a lot of experience with openswan and ipsec.
I see in that wiki page of wireshark that rules were added with
spadadd. AFAIK, to add such rules, you need to create a file (myRules)
and run setkey -f myRules.

My question is: does openswan work in conjunction
with setkey ? is adding rules with setkey in such a way
when working with Openswan is the only way ? or is there an alternative?

Rgs,
Kevin

On Fri, Nov 12, 2010 at 3:12 PM, Willie Gillespie
<wgillespie+openswan at es2eng.com> wrote:
> Have you looked over this page?
> <http://wiki.wireshark.org/ESP_Preferences>
>
> They give a few examples.  You might as well leave the tunnel encrypted and
> just give Wireshark whatever it needs to properly decrypt things.
>
> Kevin Wilson wrote:
>>
>> Hello,
>> I want to be able to decrypt ESP packets which are sent with openswan
>> IPsec
>> client in tunnel mode with wireshark.
>> In wireshark, we have under Edit->Preferences->Protocols
>> the following fields:
>>
>>  Attempt to detect/decode encrypted ESP payloads
>> Encryption Algorithm #1
>>
>> where you can choose from the following list:
>>        "NULL",
>>        "TripleDES-CBC [RFC2451]",
>>        "AES-CBC [RFC3602]",
>>        "AES-CTR [RFC3686]",
>>        "DES-CBC [RFC2405]",
>>        "CAST5-CBC [RFC2144]",
>>        "BLOWFISH-CBC [RFC2451]",
>>        "TWOFISH-CBC",
>>
>> Encryption Algorithm #2. (with same options)
>>
>> SA#1
>> SA#2
>> Encryption key #1
>> Encryption key #2
>>          (and some more fields)
>>
>> What should I add in /etc/ipsec.conf so that I can use wireshark to sniff
>> traffic ? I tried some entries  (like ike=null, phase2alg=null), but the
>> ESP packet is still showed as decrypted in the sniffer. I do know of
>> course
>> the keys on both sides (these are preshared keys).
>> It would be helpful if anybody which tried sniffing and decrypting ESP
>> packets
>> could comment or give some info about it.
>>
>>
>> Rgs,
>> Kevin
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>


More information about the Users mailing list