Skip to main content
A
Anonymous_User
Contributor
June 1, 2022

Technical Tip: How to decrypt IPSec Phase-2 (ISAKMP) packets IKEv2

  • June 1, 2022
  • 0 replies
  • 13329 views
Description

This article describes how to decrypt IPSEC Phase-2 (ISAKMP) packets using the Phase1 key.
Scope FortiGate.
Solution
  1. Start packet capture in GUI -> Network -> Packet Capture.

 

nsaini_0-1654102920405.png

 

  1. Follow the commands on FortiGate to extract the encryption key to decrypt the Phase-2 packet on Wireshark.
  • Clear the existing ike SA (# diag vpn ike gateway clear name <name>).
  • Initiate traffic to trigger the ike/ipsec SA.
  • Get the SPI and ISAKMP keys from FortiGate (# diag vpn ike gateway).

 

nsaini_1-1654102976589.png

 

  • ISAKMP keys can be obtained in IKE Debug.

diagnose debug console timestamp enable

diagnose vpn ike log-filter dst-addr4 <Remote Gateway IP> <----- Change <Remote Gateway IP>.

diagnose debug application ike -1
diagnose debug enable

 

For v7.4.0 and above:

 

diagnose debug console timestamp enable

diagnose vpn ike log filter rem-addr4 <Remote Gateway IP> <----- Change <Remote Gateway IP>.
diagnose debug application ike -1
diagnose debug enable

 

Responder:

 

ike V=root:0:Test:150: sent IKE msg (SA_INIT_RESPONSE): x.x.x.x:500->x.x.x.x:500, len=240, vrf=0, id=4de3c0f28601422e/a46da21febd5e243, oif=6
ike 0:Test:150: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_ei 16:63A4C02A86C7F3B33658166E4C4541A7
ike 0:Test:150: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_er 16:AE9B5748FC702FD48604E4912785BE72
ike 0:Test:150: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_ai 32:7254658FA96D17062AC0CE142D81708D8E12BDF96BAA749EACF0624035F62E8D
ike 0:Test:150: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_ar 32:90DB1576CAAF621AD7CD4884121FB5213A52C380C3DEB095CF9ADE8E76D64C27

 

Initiator:

 

ike 0:Test:227884: initiator received SA_INIT response
.......
ike 0:Test:227884: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_ei 16:63A4C02A86C7F3B33658166E4C4541A7
ike 0:Test:227884: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_er 16:AE9B5748FC702FD48604E4912785BE72
ike 0:Test:227884: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_ai 32:7254658FA96D17062AC0CE142D81708D8E12BDF96BAA749EACF0624035F62E8D
ike 0:Test:227884: IKE SA 4de3c0f28601422e/a46da21febd5e243 SK_ar 32:90DB1576CAAF621AD7CD4884121FB5213A52C380C3DEB095CF9ADE8E76D64C27

 

  1. Stop packet capture and download the TAR file.
  2. Open the downloaded PCAP file on Wireshark.

Make sure that SPI in CLI output and Wireshark capture are the same.

The screenshot below shows encrypted data.

 

nsaini_2-1654103024482.png

 

  1. Select ISAKMP phase2 packet -> Protocol preferences -> Internet Security Association and Key Management Protocol -> IKEv2 Decryption table.

 

nsaini_3-1654103055869.png

 

  1. A New Wireshark window will pop up as below.

Add a new row by selecting+ sign, select the field to fill the values from FortiGate Cli (SPI, SK_ei, SK_er, SK_ai, SK_ar).

 

Note: remove the '–' before entering the values.

 

nsaini_4-1654103078629.png

 

nsaini_5-1654103089370.png

 

  1. After completing 6., the decrypted phase-2 packet will be viewable.

 

nsaini_6-1654103117839.png

 

  1. Decrypted phase-2 packets when phase 2 is up.

 

nsaini_7-1654103147642.png

 

Related articles:
    Terms & ConditionsAccessibility statement