How to decrypt ESP Traffic using Wireshark
06/04/2020 10 6931
Troubleshooting VPN Traffic is not always an easy thing due to the encryption but with decrypted packets, things may become a little bit easier.
ESP packet captures are very often not very helpful if they just show encrypted information and you may require to know what's behind a specific packet to troubleshoot issues such as Octeon Decryption Failes (checksum error).
The best option is to export:
- Packet Capture on both devices showing the original HTTPS packets as well as the ESP packets
- Export the TSR, with Sensitive Keys and IKE Info enabled.
NOTE: You need to download the TSR and packet capture at the same time from the SonicWall (do not make any changes like tunnel re-negotiation and then download the TSR) to have the matching SPI and values on the TSR and the capture.
Here's how to decrypt the capture:
- Run a packet capture for ESP IP Type (you may want to clearly specify Source and Dest IP of the ESP traffic monitored).
- Export it in PCAPNG or PCAP format, open it in Wireshark.
EXAMPLE: In this scenario, we are pinging a host on the remote site and the packet capture is done/collected from the local site, so first two packets are outgoing packets (hence will match the OUT SPI and the OUT Crypto keys in TSR) and the 3rd packet is a reply from the remote site (hence will match the IN SPI and the IN crypto Keys in TSR.)
- Check the TSR for the corresponding SA (security association)
- Navigate to Edit | Preferences in Wireshark and under “Protocol” section select ESP
- Make sure you have the “Attempt to detect/decode encrypted ESP payload” and “Attempt to Check ESP Authentication” checked.
Click on Edit. In the pop-up window, click on the plus (+) symbol.
• The protocol in our case is IPv4
• Source IP is 18.104.22.168 (local WAN)
• Destination IP is 22.214.171.124 (VPN GW or Peer WAN IP)
• SPI is “0x6310061c” (Out SPI in TSR)
• Encryption used by SonicWall, in this case, is AES-CBC [RFC3602] (SonicWall always uses CBC type for the AES encryption)
• Type in the Encryption key from the TSR. (It will be “outCryptoKey: 0xb9e59856e0ec908751151b4cc62164cd” in our case)
• Select the Authentication method. (in our case the type is HMAC-SHA1-96-[RFC2404] as we used SHA1on phase 2)
• Type in the Auth Key. (It will be “outbound_auth_key: 0xcc5d30c26972c6273beada2dcc5f29aebd2e7cd2” in our case)
- Click on the Plus (+) symbol. Repeat step 5 with IN SPI now for the response traffic coming from peer to the local SonicWall. (the SPI, Crypto key and Auth Key will be different)
- Click on OK and go back to the Wireshark main window.