[Openswan Users] Decrypt ESP packets with wireshark for tunnel mode (Openswan)
Artur Ferreira da Silva
aferreira.mjv at gmail.com
Mon Nov 15 09:12:52 EST 2010
My name is Artur.
can someone help me with this error?
cannot respond to IPsec SA request because no connection is known for
Nov 12 13:31:37 ip-10-205-22-212 pluto: | complete state transition
Nov 12 13:31:37 ip-10-205-22-212 pluto: "globo" #2: sending encrypted
notification INVALID_ID_INFORMATION to 184.108.40.206:500
Nov 12 13:31:37 ip-10-205-22-212 pluto: | sending 68 bytes for
notification packet through eth0:500 to 220.127.116.11:500 (using #2)
Nov 12 13:31:37 ip-10-205-22-212 pluto: | state transition function
for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION
Nov 12 13:31:37 ip-10-205-22-212 pluto: | * processed 0 messages from
Nov 12 13:31:37 ip-10-205-22-212 pluto: | next event
EVENT_PENDING_DDNS in 20 seconds
De: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Em nome
de Kevin Wilson
Enviada em: sexta-feira, 12 de novembro de 2010 15:51
Para: Willie Gillespie
Cc: Users at openswan.org
Assunto: Re: [Openswan Users] Decrypt ESP packets with wireshark for tunnel
Thanks a lot for your answer. I will try it.
I have a question and I hope it will not sound too silly as
I do not have a lot of experience with openswan and ipsec.
I see in that wiki page of wireshark that rules were added with
spadadd. AFAIK, to add such rules, you need to create a file (myRules)
and run setkey -f myRules.
My question is: does openswan work in conjunction
with setkey ? is adding rules with setkey in such a way
when working with Openswan is the only way ? or is there an alternative?
On Fri, Nov 12, 2010 at 3:12 PM, Willie Gillespie
<wgillespie+openswan at es2eng.com> wrote:
> Have you looked over this page?
> They give a few examples. You might as well leave the tunnel encrypted
> just give Wireshark whatever it needs to properly decrypt things.
> Kevin Wilson wrote:
>> I want to be able to decrypt ESP packets which are sent with openswan
>> client in tunnel mode with wireshark.
>> In wireshark, we have under Edit->Preferences->Protocols
>> the following fields:
>> Attempt to detect/decode encrypted ESP payloads
>> Encryption Algorithm #1
>> where you can choose from the following list:
>> "TripleDES-CBC [RFC2451]",
>> "AES-CBC [RFC3602]",
>> "AES-CTR [RFC3686]",
>> "DES-CBC [RFC2405]",
>> "CAST5-CBC [RFC2144]",
>> "BLOWFISH-CBC [RFC2451]",
>> Encryption Algorithm #2. (with same options)
>> Encryption key #1
>> Encryption key #2
>> (and some more fields)
>> What should I add in /etc/ipsec.conf so that I can use wireshark to sniff
>> traffic ? I tried some entries (like ike=null, phase2alg=null), but the
>> ESP packet is still showed as decrypted in the sniffer. I do know of
>> the keys on both sides (these are preshared keys).
>> It would be helpful if anybody which tried sniffing and decrypting ESP
>> could comment or give some info about it.
>> Users at openswan.org
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:
More information about the Users