How to Decrypt IKEv2 Packets
Objective
Decrypt and analyze IKEv2 packets for IPSec VPN terminating on the firewall.
Procedure
Step 1: Enable ikemgr debugs to dump level
admin@firewall> debug ike global on dump
Step 2: Find the SPI, Encryption, and Hash Algorithm
# The first SPI in the set belongs to the initiator regardless of where the command was run.
admin@firewall> show vpn ike-sa detail gateway <IKE-GATEWAY> <...> IKE SA: SPI: 628be6458b436c75:00492d770b06b539 Init <...> Proposal: AES128-CBC/SHA1/DH2 admin@firewall> less mp-log ikemgr.log <snip> ====> Established SA: 10.0.0.1[500]-10.0.0.2[500] SPI:628be6458b436c75:00492d770b06b539 SN:7 lifetime 28800 Sec <====
Step 3: Find the initiator’s encryption key (SK_ei)
# If the debug was taken on responder, you would see initiator’s key after ”decrypting” and “ciphertext” messages.
admin@firewall> less mp-log ikemgr.log 2018-10-31 22:16:10.956 +0800 [DEBG]: { 1: }: encrypting: 2018-10-31 22:16:10.956 +0800 [DEBG]: { 1: }: plaintext: <...> 2018-10-31 22:16:10.956 +0800 [DEBG]: { 1: }: key: 2018-10-31 22:16:10.956 +0800 [DUMP]: 26ce52c9 42df35c8 9696d852 27cee760
Step 4: Find the responder’s encryption key (SK_er)
admin@firewall> less mp-log ikemgr.log 2018-10-31 22:16:10.975 +0800 [DEBG]: { 1: }: decrypting: 2018-10-31 22:16:10.975 +0800 [DEBG]: { 1: }: ciphertext: 2018-10-31 22:16:10.975 +0800 [DUMP]: <...> 2018-10-31 22:16:10.975 +0800 [DEBG]: { 1: }: key: 2018-10-31 22:16:10.975 +0800 [DUMP]: 1cea4a2b 1586745e 08c5ac12 99bf331f
Step 5: Create dummy authentication keys (SK_ai and SK_ar)
We do not print the SK_ai and SK_ar in log file directly.
If you don’t care about checking integrity, you can use all zeros for SK_ai and SK_ar
For SHA-1, the key size is 160-bit or 20 bytes, which means 40 zeros.
"0000000000000000000000000000000000000000"
Step 6: Configure Wireshark (Preferences > Protocols > ISAKMP > IKEv2 Decryption Table)
Step 7: To decrypt aes128-cbc ESP follow the steps in ikev1 documentation mentioned in additional information.
If aes128-gcm is used then to decrypt the ESP packet (both ikev1/v2), take the dump from ikemgr logs. There is no authkey, hence authentication and authentication key is to be used as shown below:
2020-09-08 22:51:32.512 -0700 [DUMP]: sadb_update: seq=1, ul_proto=255 sa_src=34.100.95.129[500]/0, sa_dst=172.16.1.128[500]/0, satype=141 (ESP), spi=0xC827AFFE, wsize=64, authtype=38 (NON-AUTH), enctype=31 (AES128-GCM16), saflags=0x0, samode=137 (tunl), reqid=0, lifetime hard time 3600, bytes 0, lifetime soft time 2892, bytes 0, enckey len=20 [d5a466fd0c601bb49c4261ee9f197d0f4b2456d2], authkey len=0 []>>>>>>>>>>>>>>>> 2020-09-08 22:51:32.512 -0700 [INFO]: { 50: 57}: SADB_ADD proto=255 172.16.1.128[500]=>34.100.95.129[500] ESP tunl spi 0x99B4E739 auth=NON-AUTH enc=AES128-GCM16/20 lifetime soft 3067/0 hard 3600/0 2020-09-08 22:51:32.512 -0700 [DUMP]: sadb_add: seq=1, ul_proto=255 sa_src=172.16.1.128[500]/0, sa_dst=34.100.95.129[500]/0, satype=141 (ESP), spi=0x99B4E739, wsize=64, authtype=38 (NON-AUTH), enctype=31 (AES128-GCM16), saflags=0x0, samode=137 (tunl), reqid=0, lifetime hard time 3600, bytes 0, lifetime soft time 3067, bytes 0, enckey len=20 [e5bb8dfdc09ed681d9678c7e7c800e79656e46af], authkey len=0 []>>>>>>>>>>>>>>>>
Edit -> Preferences -> Protocols -> ESP -> Attempt to detect/decode encrypted ESP payloads
ESP SAs Edit...
Additional Information
Decryption procedure for IKEv1 and ESP is documented here: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClinCAC
If you are interested only in seeing the decrypted contents of IKE packets, use the “debug ike pcap” functionality in which cleartext IKE packets are captured before encryption (outbound) and after decryption (inbound) by the ikemgr daemon on MP. Export the pcap file with ”scp export debug-pcap ...”
Refer to following for more: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC