Tuesday, May 8, 2012

Cisco to Cisco IPsec-manual Decrypt packets - Part 2

Now let's get into decrypting ICMP packets between R1 and R2.

First let's capture some packets between R1 and R2.
  • Right click on the line between R1 and R2
  • Choose R1 f1/0 
  • Click "OK"

Now you should be able to ping across from R1.


  • Right click again on the line between R1 and R2
  • Select Start Wireshark


Notice that the ICMP packets are encrypted and all you see is the ESP. 

  • Click Edit --> Preferences
  • Expand protocols

  • Scroll to ESP
  • Check Attempt to detect/decode encrypted ESP payload
  • Input 2 SA one inbound and one outbound
  • Choose des and hmac-sha
  • Input the session-keys which we manually set earlier in the crypto-map in part 1
  • Click Apply and OK.

Notice that the ESP packets are now gone and you see the encrypted payload which are the ICMP packets.

Many more articles to come so stay tuned. "Join this site" on the right / click +1 below ------->