[Openswan Users] Extracting IKE key to decode with Wireshark

Wed Feb 5 13:17:47 EST 2014

Hi,

I am trying to decode an OpenSwan IKE exchange using Wireshark.  I can decode the ESP packets just fine, but I am having trouble getting the IKE encryption keys out of the Pluto Debug output.

OpenSwan is running as an initiator on a Redhat Enterprise 5.10 server, using the RedHat provided RPM package which is compiled with NSS support enabled.

Per this info:

http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets

I should be able to enable plutodebug=crypt see the "enc key" in the pluto debug output (--debug-crypt option on pluto).    But the pluto debug output only has this:

| NSS: Started key computation
| NSS: enc keysize=24
| NSS: Freed 25-39 symkeys
| NSS: copied skeyid_d_chunk
| NSS: copied skeyid_a_chunk
| NSS: copied skeyid_e_chunk
| NSS: copied enc_key_chunk
| NSS: Freed symkeys 1-23
| NSS: Freed padding chunks

Frustrated I looked in the pluto sourcecode and it appears that the "enc key" output is only output to the log if LIBNSS is not configured:

#ifndef HAVE_LIBNSS
.
.
.
    DBG(DBG_CRYPT,
        DBG_dump_chunk("Skeyid:  ", *skeyid_chunk);
        DBG_dump_chunk("Skeyid_d:", *skeyid_d_chunk);
        DBG_dump_chunk("Skeyid_a:", *skeyid_a_chunk);
        DBG_dump_chunk("Skeyid_e:", *skeyid_e_chunk);
        DBG_dump_chunk("enc key:",  *enc_key_chunk);
        DBG_dump_chunk("IV:",       *new_iv));
#endif

Does anybody know how to get the "enc key" data to enter into the Wireshark ISAKMP Preferences IKEv1 settings?  Is there a command to extract it from libNSS?   I did a bunch of Googling but didn't find anything useful.

I could probably recompile without LIBNSS, or try to put the dump software outside the HAVE_LIBNSS block, but it would be nice to know if there is a better way.

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140205/9deb6e81/attachment.html>