Saturday, May 5, 2012

Decrypt IPsec packets - Linux to Cisco VPN

In this blogtorial I will demonstrate how to decrypt IPsec packets on a VPN between a Linux machine and a Cisco router. We will be using the setup from my previous blogtorial 'Configuring IPSEC VPN between Linux and Cisco'.

Let's begin.

I am using the same setup from 'Configuring IPSEC VPN between Linux and Cisco'.

Just to give you some background info from my previous blogtorial: 
My Linux machine public IP = 123.123.123.123
My Cisco public IP = 11.11.11.11
My Cisco Loopback = 10.10.0.2

First I am going get a packet capture on my Linux machine to capture the IPsec traffic.

tcpdump -vnni any -As0 -w /tmp/encrypt.pcap -- porto ESP&

and do a ping to the loopback IP of the Cisco which in my case was 10.10.0.2

Now you should have some data in encrypt.pcap.

Now type 'ip xfrm state' on the Linux machine and record the auth and enc keys for inbound and outbound sessions. Should look like this


src 11.11.11.11 dst 123.123.123.123
        proto esp spi 0x006e7ec9 reqid 0 mode tunnel
        replay-window 4
        auth hmac(sha1) 0xbfab9a20fe0c8202548cebd66336ec2bf217044a
        enc cbc(des3_ede) 0xe507d78d02fc7e1c6b05ee28fceac2565726b06b23f1d4f3

src 123.123.123.123 dst 11.11.11.11
        proto esp spi 0x038379bc reqid 0 mode tunnel
        replay-window 4
        auth hmac(sha1) 0xd3a07a1b285b62eee1ac3d6364a3040f4afee2e3
        enc cbc(des3_ede) 0xc7440300df0cbf3edc6bab9e83fe9b2537b53d8568458f2a

Take note of the auth and the enc keys both ways (inbound and outbound), authentication protocol and the encryption protocol which in my case was hmac-sha1 and tripledes

Now open the encrypt.pcap file in Wireshark and it should look this. IP's have been redacted to protect the innocent. 


Notice that all you see is the ESP packets and you cannot see the data or what is inside those encrypted packets. Next go to Edit ---> Preferences.


In preferences,
  • Expand protocols and scroll down to ESP. 
  • Edit the following SA. There should be 2 SA's one for inbound (11.11.11.11 to 123.123.123.123) and one for outbound (123.123.123.123 to 11.11.11.11). 
  • Copy and paste the appropriate keys from earlier that was acquired using 'ip xfrm state'.
  • Click Apply and OK.

And here is the decrypted traffic. My ping packets that were encrypted are now decrypted. The secret is to get the sessions keys.


As of now I am not able to do the same for a VPN between Cisco to <--ISAKMP/IPSEC VPN--> Cisco. There are no commands in Cisco that I know of which can give me the IPsec session keys. I have been reading a few articles and ISAKMP/IPsec rfc and it seems like I should be able to capture the sessions keys from a core dump on the Cisco device -- we shall see.

Many more articles to come so stay tuned. "Join this site" on the right / click +1 below ------->