Troubleshooting VPN Traffic is not always an easy thing due to the encryption but with decrypted packets, things may become a little bit easier.
ESP packet captures are very often not very helpful if they just show encrypted information and you may require to know what's behind a specific packet to troubleshoot issues such as Octeon Decryption Failes (checksum error).
The best option is to export:
Packet Capture on both devices showing the original HTTPS packets as well as the ESP packets
Export the TSR, with Sensitive Keys and IKE Info enabled.
NOTE: You need to download the TSR and packet capture at the same time from the SonicWall (do not make any changes like tunnel re-negotiation and then download the TSR) to have the matching SPI and values on the TSR and the capture.
Here's how to decrypt the capture:
Run a packet capture for ESP IP Type (you may want to clearly specify Source and Dest IP of the ESP traffic monitored).
Export it in PCAPNG or PCAP format, open it in Wireshark.
EXAMPLE: In this scenario, we are pinging a host on the remote site and the packet capture is done/collected from the local site, so first two packets are outgoing packets (hence will match the OUT SPI and the OUT Crypto keys in TSR) and the 3rd packet is a reply from the remote site (hence will match the IN SPI and the IN crypto Keys in TSR.)
Check the TSR for the corresponding SA (security association)
Navigate to Edit | Preferences in Wireshark and under “Protocol” section select ESP
Make sure you have the “Attempt to detect/decode encrypted ESP payload” and “Attempt to Check ESP Authentication” checked. Click on Edit. In the pop-up window, click on the plus (+) symbol. • The protocol in our case is IPv4 • Source IP is 22.214.171.124 (local WAN) • Destination IP is 126.96.36.199 (VPN GW or Peer WAN IP) • SPI is “0x6310061c” (Out SPI in TSR) • Encryption used by SonicWall, in this case, is AES-CBC [RFC3602] (SonicWall always uses CBC type for the AES encryption) • Type in the Encryption key from the TSR. (It will be “outCryptoKey: 0xb9e59856e0ec908751151b4cc62164cd” in our case) • Select the Authentication method. (in our case the type is HMAC-SHA1-96-[RFC2404] as we used SHA1on phase 2) • Type in the Auth Key. (It will be “outbound_auth_key: 0xcc5d30c26972c6273beada2dcc5f29aebd2e7cd2” in our case)
Click on the Plus (+) symbol. Repeat step 5 with IN SPI now for the response traffic coming from peer to the local SonicWall. (the SPI, Crypto key and Auth Key will be different)
Click on OK and go back to the Wireshark main window.