Wireshark decrypts ISAKMP negotiation packets

1. Verify the environment

StrongSwan Version Linux StrongSwan U5.9.1/ k4.18.0-240.1.1.EL83.x86_64

Wireshark version 3.4.7

Linux Centos 8

2. Preparation

You need to configure the StrongSwan log in /var/log/messages. You need to configure the StrongSwan log in /var/log/messages. You need to configure the StrongSwan log in /var/log/messages. Strongswan default configurations for: / etc/strongswan strongswan. Conf

Refer to the following Settings: Charon {

load_modular = yes
plugins {
    include strongswan.d/charon/*.conf
}
    filelog {
    charon {
        path = /var/log/charon.log
        # add a timestamp prefix
        time_format = %b %e %T
        # prepend connection name, simplifies grepping
        ike_name = yes
        # overwrite existing files
        append = no
        # increase default loglevel for all daemon subsystems
        default = 4
        # flush each line to disk
        flush_line = yes
    }
    stderr {
        # more detailed loglevel for a specific subsystem, overriding the
        # default loglevel.
        ike = 2
        knl = 3
    }
    }

}

The default log level is -1,0,1,2,3,4. -1 is no log at all. 0 just tells you to establish a connection and close the connection. 1 will output only error message, 2 will output error, warning and debugging information; 3 will also print the data transmitted by connection; 4 will also print the sensitive data of the key content.

Since this article uses Wireshark to decrypt the negotiation packet and requires information such as secret keys, the logging level is set to 4

3. IKEV1 main mode

The use of StrongSwan is ignored here. If you don’t understand StrongSwan you can refer to the official StrongSwan documentation.

/isakmp_mainmode.cap); / /isakmp_mainmode.cap; / /isakmp_mainmode.cap;



That is, from the fifth step of interaction, it is encrypted ciphertext, and the specific load content of the interaction cannot be seen.

Open Wireshark’s ISAKMP configuration using the following path:

Wireshark – > Preference – > separate Protocols – > ISAKMP



Choose IKEv1:



As you can see, you need to fill in two fields. One is the Initiator’s COOKIE, which is the Initiator SPI value in the message. For Encryption Key, you need to check this from the StrongSwan log.

Open the StrongSwan log file and search for the following



Put the value of Encryption Key KA into Encryption Key.

Looking back at the previous message, we can see that the message from step 5 has been decrypted.

IKEV1 barbaric mode

The method interacts with the main mode of IKEv1, only the savage mode is ciphertext from step 3.

5, IKEv2

To grab the package in the same way, open Wireshark’s ISAKMP configuration and select IKEv2:



There are many fields to fill in this time. The same Initiator’s SPI and Responder’s SPI can be obtained from the message, and other fields can be obtained from the log:



Encryption algorithm, authentication algorithm this is not much to say, configuration negotiation must have been clear.

After the configuration is complete, look at the IKEv2 message again, it has been decrypted.