Technical Tip: How to decrypt IPSec Phase-2 (ISAKMP) packets IKEv2

This article describes how to decrypt IPSEC Phase-2 (ISAKMP) packets using the Phase1 key.

1. Start packet capture in GUI -> Network -> Packet Capture.

2. Follow the commands on FortiGate to extract the encryption key to decrypt the Phase-2 packet on Wireshark.

• Clear the existing ike SA (# diag vpn ike gateway clear name <name>).
• Initiate traffic to trigger the ike/ipsec SA.
• Get the SPI and ISAKMP keys from FortiGate (# diag vpn ike gateway).

3. Stop packet capture and download the TAR file.
4. Open the downloaded PCAP file on Wireshark.

Make sure that SPI in CLI output and Wireshark capture are the same.

The screenshot below shows encrypted data.

5. Select ISAKMP phase2 packet -> Protocol preferences -> Internet Security Association and Key Management Protocol -> IKEv2 Decryption table.

6. A New Wireshark window will pop up as below.

Add a new row by selecting+ sign, select the field to fill the values from FortiGate Cli (SPI, SK_ei, SK_er, SK_ai, SK_ar).

Note.

remove the '–' before putting the values.

7. After completing 6., the decrypted phase-2 packet will be viewable.

8. Decrypted phase-2 packets when phase 2 is up.

Related articles:

Technical Tip: How to decrypt IPSec Phase-1(ISAKMP) packets 

Technical Tip: Decrypt ESP packets.