FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lestopace
Staff
Staff
Article Id 208876
Description

This article describes how to decrypt IPSec Phase-1(ISAKMP) packets.

Scope FortiGate.
Solution

1). Start capture and enable filters in GUI -> Network -> Diagnostics > Packet Capture.

 

lestopace_8-1649423129646.png

 

2). Enable the IKE debug and filter in CLI then restart the VPN tunnel that needs to be captured.

 

# diagnose vpn ike log-filter dst-addr4 10.47.2.36

# diagnose debug application ike -1

# diagnose debug enable

 

# diagnose vpn ike gateway clear name <phase1 tunnel name>

 

3). Stop the capture and debug on CLI. Save the packet capture.

 

# diagnose debug disable

# diagnose debug reset

 

4). On the CLI debug. Save the ISAKMP SA which will be used to decrypt the packets. It should look like the message below.

 

ISAKMP SA 44bccc59eacea672/3477d67621c2c4d5 key 16:5821AD4D929637E363BE4172EEA4C16A

 

5). Open the pcap file on Wireshark. In Wireshark, go to Edit > Preferences.

 

lestopace_7-1649423063894.png

6). Select Protocols -> ISAKMP -> Edit (In this case it is IKEv1).

 

lestopace_5-1649422374901.png

 

7). Select the '+' button twice and add the SAs and their symmetrical key then press 'OK'.

 

lestopace_9-1649423252113.png

 

8). Now there is a decrypted Phase-1(ISAKMP) negotiation. 

 

lestopace_10-1649423375569.png
Contributors