Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Cant decrypt ESP payload

From: マシス・ザッカリー <mathis@xxxxxxxxx>
Date: Tue, 25 Jul 2006 15:14:49 +0900
Thank you very much for the prompt reply!
In this case then, how would i get the encryption key/authentication key
to decrypt traffic??


On Tue, 25 Jul 2006 07:55:48 +0200
Joerg Mayer <jmayer@xxxxxxxxx> wrote:

> On Tue, Jul 25, 2006 at 02:43:15PM +0900, ?$B%^%7%9!&%6%C%+%j!< wrote:
> > Has anybody have any success decrypting ESP payloads with wireshark or
> > tcpdump?
> > I am trying to decrypt some ping packets (attached) that has been
> > encrypted with 3DES/SHA1 with the PSK being "hello". I get an error in
> > my terminal that says "ESP Preferences: Error in encryption algorithm
> > 3des-cbc: Bad Keylen <40 bits>" 
> > From what i can tell, i only know my PSK so im not sure what wireshark
> > is expecting for my encryption key/authentication key. I tried it in
> > tcpdump as well with no luck.
> 
> What you are trying to do doesn't work that way - and it *hopefully*
> never will, because otherwise it would mean that ipsec is broken!
> 
> <SIMPLIFY>
> IPSEC has two phases:
> The first is used for setting up a secure connection for *management*
> purposes, the second phase is used to actually encrypt data packets.
> ESP is a phase two proto whose keys are negotiated using the phase 1
> stuff.
> So what is done in phase 1? 1st an encrypted tunnel is set up. After
> that, the tunnel endpoints *authenticate* to each other, using (in your
> case) the pre shared key. The authentication is a protection from man in
> the middle attacks, not much more.
> </SIMPLIFY>
> 
> Ciao
>       Joerg