FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nsaini
Staff
Staff
Article Id 213649
Description

This article describes how to decrypt IPSEC Phase-2 (ISAKMP) packets using the Phase1 key.

Scope FortiGate.
Solution

1) Start packet capture in GUI -> Network -> Packet Capture.

 

nsaini_0-1654102920405.png

 

 2) Follow the commands on FortiGate to extract the encryption key to decrypt the Phase-2 packet on Wireshark.

 

- Clear the existing ike SA (# diag vpn ike gateway clear name <name>).

 

- Initiate traffic to trigger the ike/ipsec SA.

 

- Get the SPI and ISAKMP keys from FortiGate (# diag vpn ike gateway).

 

nsaini_1-1654102976589.png

 

3) Stop packet capture and download the Tar file.

 

4) Open the downloaded pcap file on Wireshark.

Make sure that SPI in CLI output and Wireshark capture should be same.

The screenshot below shows encrypted data.

 

nsaini_2-1654103024482.png

 

5) Select ISAKMP phase2 packet -> Protocol preferences -> Internet Security Association and Key Management Protocol -> IKEv2 Decryption table.

 

nsaini_3-1654103055869.png

 

6) New Wireshark window will pop up as below.

Add a new row by selecting+ sign, select the field to fill the values from FortiGate Cli (SPI, SK_ei, SK_er, SK_ai, SK_ar).

 

Note.

remove the '–' before putting the values.

 

nsaini_4-1654103078629.png

 

nsaini_5-1654103089370.png

 

7) After completing 6), the decrypted phase-2 packet will be viewable.

 

nsaini_6-1654103117839.png

 

8) Decrypted phase-2 packets when phase 2 is up.

 

nsaini_7-1654103147642.png

 

Related links:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-decrypt-IPSec-Phase-1-ISAKMP-packet...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Decrypt-ESP-packets/ta-p/198431

Contributors