This article describes how to decrypt captured Encapsulated Security Payload (ESP) packets initiated or terminated on FortiGate using Wireshark.
In some case, network administrators need to track specific packets that are encrypted and transferred through IPsec VPN tunnels.
ESP packets can be captured from the GUI under Network -> Packet capture or from the CLI with the following command:
diag sniffer packet any "esp and host 10.149.11.30" 6 0 a
To decrypt ESP packets, Security Association (SA) information needs to be available. List it from the CLI using this command:
diagnose vpn tunnel list
The output must be similar to this: