[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

Michael Richardson mcr at sandelman.ca
Fri Nov 12 15:05:29 EST 2010 

>>>>> "Paul" == Paul Wouters <paul at xelerance.com> writes:
    >> Thanks a lot for your answer. I will try it.  I have a question
    >> and I hope it will not sound too silly as I do not have a lot of
    >> experience with openswan and ipsec.  I see in that wiki page of
    >> wireshark that rules were added with spadadd. AFAIK, to add such
    >> rules, you need to create a file (myRules) and run setkey -f
    >> myRules.

    >> My question is: does openswan work in conjunction with setkey ? 
    >> is adding rules with setkey in such a way when working with
    >> Openswan is the only way ? or is there an alternative?

    Paul> Not *reall* What you are doing there is using "manual keying"
    Paul> without an IKE daemon. The IKE daemon creates session keys and
    Paul> all, so it will be harder. Somewhere in the openswan /testing/
    Paul> directory there should be tests that show how to use hardcoded
    Paul> crypto keys and tcpdump.

    Paul> Another good person to ask about this would be Michael
    Paul> Richardson, as he wrote the tcpdump-openswan integration code
    Paul> for this.

All of the test cases which use tcpdump's IPsec ESP code to decrypt the
packets that Openswan creates (whether with KLIPS or netkey), use manual
keying.

It is possible, but dangerous, to turn on sufficient debugging in
openswan's pluto such that the session keys are exposed in the log
files, and these can be used with tcpdump's -E option.

The reasons, btw, for Perfect Forward Secrecy, is so that when such a
thing as the keys are disclosed as above, that the disclosure only
reveals one period of traffic, not all traffic that follows.

-- 
]       He who is tired of Weird Al is tired of life!           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
   Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
	               then sign the petition.

More information about the Users mailing list