How to decrypt IKVe2 in Wireshark using StrongSwan log info?

Wireshark has the ability to decrypt IKEv2, if you do Preferences, select ISAKMP, it offers an IKEv2 decrypt table which wants the initiator's and responder's SPIs, the encryption and authentication keys (SK_ei, SK_er, SK_ai, SK_ar) and the encryption and authentication algorithms. Using Strongswan's charon debug logging on all these are available.

I have a working IKEv2 SA and can transfer ESP traffic.

Yet, every time I try to decrypt with Wireshark time it produces incoherent decrypted results, like field lengths of 65000 in a packet that has 166 bytes, and reports malformed packets.

I also can't decrypt the ESP packets. Google searches say this is possible just using the info from 'ip xfrm state' but Wireshark either decrypts nothing or again produces invalid results.

Clearly I am missing something, has anybody done this?

I am using Wireshark 1.8.3, StrongSwan 5.0.1 on Ubuntu 12.04.

Thanks, RichK


Solution 1:

I had exactly the same problem but finally managed to solve it. My basic assumption has been that Wireshark is able to decode IKEv2 messages (see: http://www.wireshark.org/lists/wireshark-bugs/200904/msg00114.html). Not sure whther all integrity and encryptions methods are supported.

My setup was Windows 7 client and Strongswan server. If you configure Strongswan with the strongest log-level that all necessary keys are contained in the syslog-file. Search for keyword "Sk_ei", "Sk_er", Sk_ai" and "Sk_ar" (there are several instances in the file, I took the latest occurence in the log-file). You know have to capture the traffic with Wireshark, get the Strongswan log-file of that time and enter the correct values in the Wireshark IKEv2 decrpytion table. It is extremely important that you enter the values in the right length and right format e.g. eliminate spaces or colon(:) if you copy the values from syslog or wireshark trace.

Here is a guideline for the values to be used in decryption table:

Initiators SPI = initiator cookie (found in wireshark message - not encoded) Responders SPI = responder cookie (found in wireshark message - not encoded)

encryption algorithm: can be found in Wireshark IKE SA Init response if you are not sure I used AES-CBC-256 i.e. SK-ei and SK_er must have 64 hex digits

integrity algorithm: can be found in Wireshark IKE SA Init response if you are not sure I used HMAC-SHA1-96 i.e. SK-ai and SK_ar must have 40 hex digits

Sk_ei, SK_er, SK_ar and SK_ai values must be copied and pasted without blanks from Strongswan logfile into decryption table. In my example the 64 digit key (SK_ei, SK_er) was distributed over 2 lines in the log file.

If all is done properly then Wireshark should display decoded messages.

Hope this helps!

Solution 2:

maybe you are entering the wrong keys.

AFAIK, there are 2 of them:

  • IKE keys - keying is encrypted using these
  • ESP keys - network traffic is encrypted using these

I always used keys from ip xfrm state keys to decrypt ESP traffic in Wireshark.