Technical Tip: How to decrypt IPSec Phase-1(ISAKMP) packets

This article describes how to decrypt IPSec Phase-1 (ISAKMP) packets.

1. Start capture and enable filters in GUI -> Network -> Diagnostics > Packet Capture.

2. Enable the IKE debug and filter in CLI then restart the VPN tunnel that needs to be captured.

diagnose vpn ike log-filter dst-addr4 10.47.2.36

diagnose debug application ike -1

diagnose debug enable

diagnose vpn ike gateway clear name <phase1 tunnel name>

3. Stop the capture and debug on CLI. Save the packet capture.

diagnose debug disable

diagnose debug reset

4. On the CLI debug. Save the ISAKMP SA which will be used to decrypt the packets. It should look like the message below.

ISAKMP SA 44bccc59eacea672/3477d67621c2c4d5 key 16:5821AD4D929637E363BE4172EEA4C16A

It is also possible to get the SPI and ISAKMP keys from FortiGate using the command below:

diag vpn ike gateway list name <Phase1-Name>

5. Open the pcap file on Wireshark under Edit -> Preferences.

6. Select Protocols -> ISAKMP -> Edit (In this case it is IKEv1).

7. Select the '+' button twice and add the SAs and their symmetrical key then press 'OK'.

8. There is now a decrypted Phase-1(ISAKMP) negotiation. 

Related articles:

Technical Tip: How to decrypt IPSec Phase-2 (ISAKMP) packets IKEv2 

Technical Tip: Decrypt ESP packets.