| Description |
This article describes how to use NULL encryption on a FortiGate to intentionally bypass ESP decryption during controlled diagnostic testing. |
| Scope | FortiGate. |
| Solution |
In some cases, such as troubleshooting packet loss or performance issues over an IPsec tunnel, decrypting ESP packets can be time-consuming. Additionally, decryption may fail if the appropriate encryption keys are not captured along with the packet trace.
To simplify this process, on the GUI:
Note: The configuration described uses IPsec with NULL encryption (ESP NULL). This provides no confidentiality for packet payloads and is strictly unacceptable for production or operational use; it exposes sensitive traffic to interception, breaks common compliance controls, and significantly increases risk to data integrity and privacy. It should be used only in a lab environment for testing or evaluation purposes and not over the public internet.
After configuring NULL encryption, flush the tunnel and capture the ESP packets. To capture ESP packets from the CLI, use the following command: diagnose sniffer packet any "host x.x.x.x and esp" 6 0 a
Or:
diagnose sniffer packet any "host x.x.x.x and port 4500" 6 0 a <----- Where x.x.x.x is the IP address of the remote gateway.
If the tunnel is configured on port 4500, then capture needs to be taken on port 4500.
ESP packets can also be captured from the GUI by navigating to Network -> Packet Capture.
On Wireshark, 'right-click' any of the ESP packets, choose Protocol Preferences -> Encapsulating Security Payload, select Attempt to detect/decode NULL-encrypted ESP payloads.
After enabling it, the ESP packets appear in plain text for analysis.
Related article: |
