Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
welnaggar
Staff
Staff

Created on ‎04-17-2020 05:13 AM Edited on ‎11-30-2023 07:36 AM By Moderator

Article Id 198431

Technical Tip: Decrypt ESP packets.

Description

 

This article describes how to decrypt captured Encapsulated Security Payload (ESP) packets initiated or terminated on FortiGate using Wireshark.

 

Scope

 

FortiGate.


Solution

 

In some case, network administrators need to track specific packets that are encrypted and transferred through IPsec VPN tunnels.

ESP packets can be captured from the GUI under Network -> Packet capture or from the CLI with the following command:

 

diag sniffer packet any "esp and host 10.149.11.30" 6 0 a

 

To decrypt ESP packets, Security Association (SA) information needs to be available. List it from the CLI using this command:

 

diagnose vpn tunnel list

 

The output must be similar to this:

 
On Wireshark, open the PCAP file:
 
 
Edit the protocol preferences as follows:
 
  1. Go to Edit -> Preferences -> Protocol -> ESP.
  2. Enable the last 3 check-boxes and select 'Edit' next to ESP SAs.
  3. Create two entries for the incoming and outgoing SAs.
  4. For each line, add the information obtained from the VPN tunnel list.

Outgoing ESP.
 
  • Protocol: Choose the IP protocol version; eg. IPv4.
  • Src IP: The IP address of local gateway; eg. 172.16.1.2.
  • Dst IP: The Ip address of the remote gateway; eg. 10.149.11.30.
  • SPI: local SPI; eg. 0x7bfa58a1.
  • Encryption:  Choose the encryption type from the drop-down that matches the used algorithm; eg. AES-CBC [RFC3602].
  • Encryption Key: The key after the encryption type; eg. 0x9f7bff78bb0b9b38585dc7cfcc923491c974481265468572b488cac5791450a5.
  • Authentication: Choose the authentication type from the drop-down that matches the used algorithm; eg. HMAC-SHA-384-192 [RFC4868].
  • Authentication Key: The key after the authentication type; eg. 0x8f94767df3524c694ccac5734db59ab55388dca78a55afe96b96fd4a04d62e642fd37f4b2ea03ff39a9a9125ce54f91f.
 
Incoming ESP.
  • Protocol: Choose the IP protocol version; e.g. IPv4.
  • Src IP: The IP address of local gateway; e.g. 10.149.11.30.
  • Dst IP: The Ip address of the remote gateway; e.g. 172.16.1.2.
  • SPI: remote SPI; e.g. 0x8bdd5fe9.
  • Encryption: Choose the encryption type from the drop-down that matches the used algorithm; e.g. AES-CBC [RFC3602].
  • Encryption Key: The key after the encryption type; e.g. 0xb8c64630a75f3a89721d448e789bf78cc84aa67a2b8d71836f5a050fa1310df5.
  • Authentication: Choose the authentication type from the drop-down that matches the used algorithm; e.g. HMAC-SHA-384-192 [RFC4868].
  • Authentication Key: The key after the authentication type; e.g. 0x04a99d4fc92dbfee1660c62c62defde2878bb163e50241ab96445924281060b2e1e3c3295c9c77e572bcd9818701dd3c.
  
 
  1. Finally, select 'OK'. All encrypted packets can now be viewed.
 
 
 
 
Related link:
 
 

 

Related articles:

19666
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.