[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

Paul Wouters paul at xelerance.com
Fri Nov 12 13:54:32 EST 2010 

On Fri, 12 Nov 2010, Kevin Wilson wrote:

> Thanks a lot for your answer. I will try it.
> I have a question and I hope it will not sound too silly as
> I do not have a lot of experience with openswan and ipsec.
> I see in that wiki page of wireshark that rules were added with
> spadadd. AFAIK, to add such rules, you need to create a file (myRules)
> and run setkey -f myRules.

> My question is: does openswan work in conjunction
> with setkey ? is adding rules with setkey in such a way
> when working with Openswan is the only way ? or is there an alternative?

Not *reall*
What you are doing there is using "manual keying" without an IKE daemon. The IKE
daemon creates session keys and all, so it will be harder. Somewhere in the openswan
/testing/ directory there should be tests that show how to use hardcoded crypto keys
and tcpdump.

Another good person to ask about this would be Michael Richardson,
as he wrote the tcpdump-openswan integration code for this.

Paul

> Rgs,
> Kevin
>
> On Fri, Nov 12, 2010 at 3:12 PM, Willie Gillespie
> <wgillespie+openswan at es2eng.com> wrote:
>> Have you looked over this page?
>> <http://wiki.wireshark.org/ESP_Preferences>
>>
>> They give a few examples.  You might as well leave the tunnel encrypted and
>> just give Wireshark whatever it needs to properly decrypt things.
>>
>> Kevin Wilson wrote:
>>>
>>> Hello,
>>> I want to be able to decrypt ESP packets which are sent with openswan
>>> IPsec
>>> client in tunnel mode with wireshark.
>>> In wireshark, we have under Edit->Preferences->Protocols
>>> the following fields:
>>>
>>>  Attempt to detect/decode encrypted ESP payloads
>>> Encryption Algorithm #1
>>>
>>> where you can choose from the following list:
>>>        "NULL",
>>>        "TripleDES-CBC [RFC2451]",
>>>        "AES-CBC [RFC3602]",
>>>        "AES-CTR [RFC3686]",
>>>        "DES-CBC [RFC2405]",
>>>        "CAST5-CBC [RFC2144]",
>>>        "BLOWFISH-CBC [RFC2451]",
>>>        "TWOFISH-CBC",
>>>
>>> Encryption Algorithm #2. (with same options)
>>>
>>> SA#1
>>> SA#2
>>> Encryption key #1
>>> Encryption key #2
>>>          (and some more fields)
>>>
>>> What should I add in /etc/ipsec.conf so that I can use wireshark to sniff
>>> traffic ? I tried some entries  (like ike=null, phase2alg=null), but the
>>> ESP packet is still showed as decrypted in the sniffer. I do know of
>>> course
>>> the keys on both sides (these are preshared keys).
>>> It would be helpful if anybody which tried sniffing and decrypting ESP
>>> packets
>>> could comment or give some info about it.
>>>
>>>
>>> Rgs,
>>> Kevin
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list