Printer FriendlyEmail Article Link

How do I decrypt the encrypted IKEv1 packets on Landslide?

Answer

In the preferences of wireshark (v1.7.2 or after), there is a selection for IKEv1 decode under  ISAKMP protocol. When you use that to decode  IKEv1 packets, you need to fill Initiator's COOKIE and Encrytion key.

You should be able to do a trace level 10 and then grep for the following debug information.
For example: 
29972| Tue May  8 22:16:31. 81105| ../src/ipsecTunnelBaseState.cc|  7006|    encryptBlock|     Entry|
29972| Tue May  8 22:16:31. 81108| ../src/ipsecTunnelBaseState.cc|  7014|    encryptBlock|     Debug| Encrypt Key:
29972| Tue May  8 22:16:31. 81110| ../src/ipsecTunnelBaseState.cc|  5772| getEncryptionKeySize|     Entry|
29972| Tue May  8 22:16:31. 81112| ../src/ipsecTunnelBaseState.cc|  5783| getEncryptionKeySize|      Exit|
29972| Tue May  8 22:16:31. 81115| ../src/ipsecTunnelBaseState.cc|  7015|    encryptBlock|     Debug| Dumping 16 bytes:
29972| Tue May  8 22:16:31. 81115| ../src/ipsecTunnelBaseState.cc|  7015|    encryptBlock|     Debug|  1e ec 5e 1f 61 63 2f 79 51 30 e4 57 fc fd 4b 3c
29972| Tue May  8 22:16:31. 81133| ../src/ipsecTunnelBaseState.cc|  7017|    encryptBlock|     Debug| Initialization Vector:
29972| Tue May  8 22:16:31. 81136| ../src/ipsecTunnelBaseState.cc|  7018|    encryptBlock|     Debug| Dumping 8 bytes:
29972| Tue May  8 22:16:31. 81136| ../src/ipsecTunnelBaseState.cc|  7018|    encryptBlock|     Debug|  2e e2 9b cc 25 6f bd 79
 

It will dump out the keys used for encrypting the block.


Product : Landslide,IPSec