[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)
wkevils at gmail.com
Sat Nov 13 03:00:01 EST 2010
I want to verify one point - and it could be that I am wrong at it:
tcpdump -E will **not** decrypt ESP when using netkey (built-in kernel
IPsec). This will work only with klips.
Am i right about it ?
This is what I understand from http://seclists.org/tcpdump/2009/q1/87.
On Fri, Nov 12, 2010 at 8:54 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Fri, 12 Nov 2010, Kevin Wilson wrote:
>> Thanks a lot for your answer. I will try it.
>> I have a question and I hope it will not sound too silly as
>> I do not have a lot of experience with openswan and ipsec.
>> I see in that wiki page of wireshark that rules were added with
>> spadadd. AFAIK, to add such rules, you need to create a file (myRules)
>> and run setkey -f myRules.
>> My question is: does openswan work in conjunction
>> with setkey ? is adding rules with setkey in such a way
>> when working with Openswan is the only way ? or is there an alternative?
> Not *reall*
> What you are doing there is using "manual keying" without an IKE daemon. The
> daemon creates session keys and all, so it will be harder. Somewhere in the
> /testing/ directory there should be tests that show how to use hardcoded
> crypto keys
> and tcpdump.
> Another good person to ask about this would be Michael Richardson,
> as he wrote the tcpdump-openswan integration code for this.
>> On Fri, Nov 12, 2010 at 3:12 PM, Willie Gillespie
>> <wgillespie+openswan at es2eng.com> wrote:
>>> Have you looked over this page?
>>> They give a few examples. You might as well leave the tunnel encrypted
>>> just give Wireshark whatever it needs to properly decrypt things.
>>> Kevin Wilson wrote:
>>>> I want to be able to decrypt ESP packets which are sent with openswan
>>>> client in tunnel mode with wireshark.
>>>> In wireshark, we have under Edit->Preferences->Protocols
>>>> the following fields:
>>>> Attempt to detect/decode encrypted ESP payloads
>>>> Encryption Algorithm #1
>>>> where you can choose from the following list:
>>>> "TripleDES-CBC [RFC2451]",
>>>> "AES-CBC [RFC3602]",
>>>> "AES-CTR [RFC3686]",
>>>> "DES-CBC [RFC2405]",
>>>> "CAST5-CBC [RFC2144]",
>>>> "BLOWFISH-CBC [RFC2451]",
>>>> Encryption Algorithm #2. (with same options)
>>>> Encryption key #1
>>>> Encryption key #2
>>>> (and some more fields)
>>>> What should I add in /etc/ipsec.conf so that I can use wireshark to
>>>> traffic ? I tried some entries (like ike=null, phase2alg=null), but the
>>>> ESP packet is still showed as decrypted in the sniffer. I do know of
>>>> the keys on both sides (these are preshared keys).
>>>> It would be helpful if anybody which tried sniffing and decrypting ESP
>>>> could comment or give some info about it.
>>>> Users at openswan.org
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>> Users at openswan.org
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users