[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)

Kevin Wilson wkevils at gmail.com
Sat Nov 13 03:00:01 EST 2010 

Hi,
 I want to verify one point - and it could be that I am wrong at it:
tcpdump -E will **not** decrypt ESP when using netkey (built-in kernel
IPsec). This will work only with klips.

Am i right about it ?
This is what I understand from http://seclists.org/tcpdump/2009/q1/87.

Rgs,
Kevin



On Fri, Nov 12, 2010 at 8:54 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 12 Nov 2010, Kevin Wilson wrote:
>
>> Thanks a lot for your answer. I will try it.
>> I have a question and I hope it will not sound too silly as
>> I do not have a lot of experience with openswan and ipsec.
>> I see in that wiki page of wireshark that rules were added with
>> spadadd. AFAIK, to add such rules, you need to create a file (myRules)
>> and run setkey -f myRules.
>
>> My question is: does openswan work in conjunction
>> with setkey ? is adding rules with setkey in such a way
>> when working with Openswan is the only way ? or is there an alternative?
>
> Not *reall*
> What you are doing there is using "manual keying" without an IKE daemon. The
> IKE
> daemon creates session keys and all, so it will be harder. Somewhere in the
> openswan
> /testing/ directory there should be tests that show how to use hardcoded
> crypto keys
> and tcpdump.
>
> Another good person to ask about this would be Michael Richardson,
> as he wrote the tcpdump-openswan integration code for this.
>
> Paul
>
>> Rgs,
>> Kevin
>>
>> On Fri, Nov 12, 2010 at 3:12 PM, Willie Gillespie
>> <wgillespie+openswan at es2eng.com> wrote:
>>>
>>> Have you looked over this page?
>>> <http://wiki.wireshark.org/ESP_Preferences>
>>>
>>> They give a few examples.  You might as well leave the tunnel encrypted
>>> and
>>> just give Wireshark whatever it needs to properly decrypt things.
>>>
>>> Kevin Wilson wrote:
>>>>
>>>> Hello,
>>>> I want to be able to decrypt ESP packets which are sent with openswan
>>>> IPsec
>>>> client in tunnel mode with wireshark.
>>>> In wireshark, we have under Edit->Preferences->Protocols
>>>> the following fields:
>>>>
>>>>  Attempt to detect/decode encrypted ESP payloads
>>>> Encryption Algorithm #1
>>>>
>>>> where you can choose from the following list:
>>>>        "NULL",
>>>>        "TripleDES-CBC [RFC2451]",
>>>>        "AES-CBC [RFC3602]",
>>>>        "AES-CTR [RFC3686]",
>>>>        "DES-CBC [RFC2405]",
>>>>        "CAST5-CBC [RFC2144]",
>>>>        "BLOWFISH-CBC [RFC2451]",
>>>>        "TWOFISH-CBC",
>>>>
>>>> Encryption Algorithm #2. (with same options)
>>>>
>>>> SA#1
>>>> SA#2
>>>> Encryption key #1
>>>> Encryption key #2
>>>>          (and some more fields)
>>>>
>>>> What should I add in /etc/ipsec.conf so that I can use wireshark to
>>>> sniff
>>>> traffic ? I tried some entries  (like ike=null, phase2alg=null), but the
>>>> ESP packet is still showed as decrypted in the sniffer. I do know of
>>>> course
>>>> the keys on both sides (these are preshared keys).
>>>> It would be helpful if anybody which tried sniffing and decrypting ESP
>>>> packets
>>>> could comment or give some info about it.
>>>>
>>>>
>>>> Rgs,
>>>> Kevin
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>

More information about the Users mailing list