I am using the same setup from 'Configuring IPSEC VPN between Linux and Cisco'.
Just to give you some background info from my previous blogtorial:
My Linux machine public IP = 18.104.22.168
My Cisco public IP = 22.214.171.124
My Cisco Loopback = 10.10.0.2
First I am going get a packet capture on my Linux machine to capture the IPsec traffic.
tcpdump -vnni any -As0 -w /tmp/encrypt.pcap -- porto ESP&
and do a ping to the loopback IP of the Cisco which in my case was 10.10.0.2
Now you should have some data in encrypt.pcap.
Now type 'ip xfrm state' on the Linux machine and record the auth and enc keys for inbound and outbound sessions. Should look like this
src 126.96.36.199 dst 188.8.131.52
proto esp spi 0x006e7ec9 reqid 0 mode tunnel
auth hmac(sha1) 0xbfab9a20fe0c8202548cebd66336ec2bf217044a
enc cbc(des3_ede) 0xe507d78d02fc7e1c6b05ee28fceac2565726b06b23f1d4f3
src 184.108.40.206 dst 220.127.116.11
proto esp spi 0x038379bc reqid 0 mode tunnel
auth hmac(sha1) 0xd3a07a1b285b62eee1ac3d6364a3040f4afee2e3
enc cbc(des3_ede) 0xc7440300df0cbf3edc6bab9e83fe9b2537b53d8568458f2a
Take note of the auth and the enc keys both ways (inbound and outbound), authentication protocol and the encryption protocol which in my case was hmac-sha1 and tripledes.
Now open the encrypt.pcap file in Wireshark and it should look this. IP's have been redacted to protect the innocent.
Notice that all you see is the ESP packets and you cannot see the data or what is inside those encrypted packets. Next go to Edit ---> Preferences.
- Expand protocols and scroll down to ESP.
- Edit the following SA. There should be 2 SA's one for inbound (18.104.22.168 to 22.214.171.124) and one for outbound (126.96.36.199 to 188.8.131.52).
- Copy and paste the appropriate keys from earlier that was acquired using 'ip xfrm state'.
- Click Apply and OK.
And here is the decrypted traffic. My ping packets that were encrypted are now decrypted. The secret is to get the sessions keys.
As of now I am not able to do the same for a VPN between Cisco to <--ISAKMP/IPSEC VPN--> Cisco. There are no commands in Cisco that I know of which can give me the IPsec session keys. I have been reading a few articles and ISAKMP/IPsec rfc and it seems like I should be able to capture the sessions keys from a core dump on the Cisco device -- we shall see.
Many more articles to come so stay tuned. "Join this site" on the right / click +1 below ------->