How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device
1 de 3
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-De...
PALO ALTO NETWORKS HOME (HTTPS://WWW.PALOALTONETWORKS.COM/)
(/)
CUSTOMER SUPPORT (HTTPS://SUPPORT.PALOALTONETWORKS.COM)
Support Info (/t5/custom/page/page-id/Support) Register (https://live.paloaltonetworks.com/t5/custom/page/page-id/Register?referer=https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2FManagement-Articles%2FHowto-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks%2Fta-p%2F151848) Sign In (https://live.paloaltonetworks.com/twzvq79624/plugins/common/feature/saml/doauth/post?referer=https%3A%2F %2Flive.paloaltonetworks.com%2Ft5%2FManagement-Articles%2FHow-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks%2Fta-p%2F151848) FAQs (/t5/help/faqpage)
Features
Discussions
(https://live.paloaltonetworks.com/t5/Features/ct-p/Features)
Knowledge Base (https://live.paloaltonetworks.com/t5/Knowledge-Base/ct-p/Topics)
Tools (https://live.paloaltonetworks.com/t5/Tools/ct-p/Tools) Live ( /) > Knowledge Base ( /t5/Knowledge-Base/ct-p/Topics) /t5/Knowledge-Base/ct-p/Topics) > Next-Genera on Firewall ( /t5/Next-Genera on-Firewall/ct-p/Firewall_Ar cles) cles) > Management Ar cles (/t5/Management-Ar (/t5/Management-Ar cles/tkb-p/Management-TKB ) >
Management Ar cles (/t5/Management-Ar (/t5/Management-Ar cles/tkb-p /Management-TKB) /Management-TKB) Customer Notice: Planned GlobalProtect Cloud Service maintenance on Dec 13 2017. Read More > (https://live.paloaltonetworks.com/t5/General-Topics/Planned-CloudServices-GlobalProtect-Cloud-Service-maintenance/m-p/191456)
Community
Search
How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device by imsed (/t5/user/viewprofilepage/user-id/39915) on 04-09-2017 12:50 PM - edited on 04-12-2017 12:03 PM by arsimon (/t5/user (2,762 Views) /viewprofilepage/user-id/31338) Labels: Decryption (/t5/Management-Articles/tkb-p/Management-TKB/label-name/decryption?labels=decryption), (/t5/custom/page/page-id/Register)
Management (/t5/Management-Articles/tkb-p/Management-TKB/label-name/management?labels=management),
Labels
Network (/t5/Management-Articles/tkb-p/Management-TKB/label-name/network?labels=network)
Overview When ipsec tunnels terminate on a Palo Alto Networks firewall, it is possible to decrypt the traffic using the keys registered under ikemg.log. This can be very useful for troubleshooting ike, and performance issues with ipsec tunnels such as packet-loss and out-of-order packets. Details On this article, we will illustrate how to decrypt ikev1 on main mode and ESP packet using the following topology. The same steps can be used with ikev2.
Aperture (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name API & SDK (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam App-ID (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/a Authentication (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/labelAutoFocus (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam Certificates (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam Cloud (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/clo Configuration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-n Decryption (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam Endpoint (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name GlobalProtect (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-n Hardware (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name High Availability (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/labe
By default, the debugging level of ikemgr is normal. To log the negotiated authentication and encryption keys, we must increase the debugging level to dump. admin@FW1> debug ike global show sw.ikedaemon.debug.global: normal admin@FW1> debug ike global on dump admin@FW1> debug ike global show sw.ikedaemon.debug.global: dump Packets can be captured anywhere between FW1 and FW2. On our test setup, we will take packet captures on FW1 following this guide https://live.paloaltonetworks.com/t5/Learning-Articles/How-to-Run-a-Packet-Capture/ta-p/62390 (/t5/Learning-Articles /How-to-Run-a-Packet-Capture/ta-p/62390). To capture clear and encrypted data between User1 and User2 we are going to use the following filters.
Integration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-nam Learning (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/ Logs (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/logs Management (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-na Management & Administration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p Migration (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name NAT (https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-on-a-Palo-Alto-Networks/ta-p/151848/label-name/nat
Next (https://live.paloaltonetworks.com /t5/Management-Articles/How-to-
admin@FW1> debug dataplane packet-diag show setting
Decrypt-IKE-and-ESP-Packets-
-------------------------------------------------------------------------------Packet diagnosis setting:
on-a-Palo-Alto-Networks
--------------------------------------------------------------------------------
/ta-p/151848/page/2/show-
Packet filter Enabled:
yes
Match pre-parsed packet:
comments/true)
no
Index 1: 192.168.112.104[0]->192.168.125.110[0], proto 0 ingress-interface any, egress-interface any, exclude non-IP ingress-interface any, egress-interface any, exclude non-IP
Contributors
Index 2: 10.193.121.91[0]->10.193.121.93[0], proto 0 ingress-interface any, egress-interface any, exclude non-IP
(/t5/user/viewprofilepage
ingress-interface any, egress-interface any, exclude non-IP --------------------------------------------------------------------------------
/user-id/39915)
Logging
imsed (/t5/user/viewprofilepage /user-id/39915)
Enabled:
no
Log-throttle:
no
Sync-log-by-ticks:
yes
Features:
(/t5/user/viewprofilepage
Counters: --------------------------------------------------------------------------------
/user-id/31338)
Packet capture Enabled:
arsimon (/t5/user/viewprofilepage /user-id/31338)
yes
Snaplen:
0
Stage receive
:
file rx
Captured:
packets - 0
bytes - 0
Maximum:
packets - 0
bytes - 0
Stage transmit
:
Captured:
packets - 1
bytes - 0
Maximum:
packets - 0
bytes - 0
Stage drop
:
Captured:
(/t5/user/viewprofilepage
file tx
/user-id/7608) reaper (/t5/user/viewprofilepage /user-id/7608)
file dr
packets - 0
bytes - 0
Maximum: packets - 0 bytes - 0 At this point, we need to bounce the ipsec tunnel to start a new negotiation process and log the ipsec phase1 and phase2 keys. admin@FW1> clear vpn ike-sa gateway TO-FW2 admin@FW1> clear vpn ipsec-sa tunnel To-FW2 Then generate Traffic between User1 and User2 and make sure that the tunnel is up. admin@FW1> show vpn ike-sa gateway TO-FW2
Peer-Address
Established
Expiration
Gateway Name V
ST Xt P
-
-- -- -
Role Mode Algorithm
hase2 --------------
------------
-----------
----------
------------
---- ---- ---------
----1
10.193.121.93
TO-FW2
Init Main PSK/ DH2/A128/SHA1
Apr.08
21:57:04 Apr.08 22:03:04 v1 12 4
1 Show IKEv1 IKE SA: Total 2 gateways found. 1 ike sa found. IKEv1 phase-2 SAs GwID/client IP SPI(out) MsgID --------------------- ----1 547B1BD5 9
Peer-Address
Gateway Name
Role Algorithm
SPI(in)
---- ---------
-------
ST Xt ------------
------------
-- -10.193.121.93
TO-FW2
Re: How to perform a Factory Reset a Palo Alto Net... (/t5/Management-Articles/How-toperform-a-factory-reset-on-a-PaloAlto-Networks-device/ta-p/56029) Palo Alto Networks Management Access through TACAC... (/t5/Configuration-Articles /Palo-Alto-Networks-ManagementAccess-through-TACACS /ta-p/149144)
IKEv1 phase-1 SAs GwID/client IP
Recommendations
How to Implement SSH Decryption on a Palo Alto Net... (/t5/Configuration-Articles/How-toImplement-SSH-Decryptionon-a-Palo-Alto-Networks-Device /ta-p/56183) Information on Sweet32 for Palo Alto Networks Cust... (/t5/Threat-Vulnerability-Articles /Information-on-Sweet32-for-PaloAlto-Networks-Customers /ta-p/128526)
Init ESP/ DH5/tunl/SHA2 B57366C2 B82D7CDE
1
Show IKEv1 phase2 SA: Total 2 gateways found. 1 ike sa found.
Decrypt ikev1 on main mode. With ikev1, the identification and quick mode messages are encrypted. Sometimes it is necessary to decrypt them to verify which parameters were exchanged between the two peer. Here is an example of an encrypted identification message.
How to Configure a Palo Alto Networks Firewall wit... (/t5/Configuration-Articles/How-toConfigure-a-Palo-Alto-NetworksFirewall-with-Dual-ISPs/tap/59774) Re: Palo Alto Networks Visio Stencils (/t5/ManagementArticles/Palo-Alto-Networks-Visioamp-Omnigraffle-Stencils /ta-p/60547) How to Clear Logs on a Palo Alto
14/12/2017 11:06
How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device
2 de 3
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-De...
Networks Device (/t5/FeaturedArticles/How-to-Clear-Logs-ona-Palo-Alto-Networks-Device /ta-p/61520)
To decrypt ikev1 messages, we need two pieces of information. Initiator’s cookie that corresponds to the Initiator SPI on the packet capture. 294ff0e604e73f31 Encryption key that can be found on the ikemgr.log: Search for “cookie:294ff0e604e73f31” and then scroll through the negotiation messages untill you find the final computed encryption key. 2017-04-08 21:57:04 [DEBUG]: oakley.c:3157:oakley_compute_enckey(): final encryption key computed: 2017-04-08 21:57:04 [DEBUG]: oakley.c:3158:oakley_compute_enckey(): 793f8697 cc0e8cdb 5851496c 0acff14c
Next, go to Wireshark > Edit > Preferences > Protocols > ISAKMP > IKEv1 Decryption Table and enter the Initiator’s COOKIE and Encryption key:
And here is the decrypted identification message:
Decrypt ESP packets. Decrypting ESP packets follows the same principle as ike, but require more parameters.
Protocol: IPv4 Src IP: The source IP of the ESP packets you want to decrypt. For the example above 10.193.121.91 Dst IP: The destination IP of the ESP packets you want to decrypt. For the example above 10.193.121.93 ESP SPI: You can find it on the packet capture under Encapsulation Security Payload. In our example, it is 0xb82d7cde Encryption and Authentication Algorithm: They are part of the output of ‘>show vpn flow ‘ command. admin@FW1> show vpn flow name To-FW2 | match algorithm auth algorithm:
SHA256
enc
AES128
algorithm:
Encryption and Authentication Key which can be found on the ikemgr.log: 21.93[500]/0, satype=141 (ESP), spi=, wsize=4, authtype=41 (SHA256), enctype=15 (AES128), saflags=0x0, samode=137 (tunl), reqi d=0, lifetime hard time 180, bytes 0, lifetime soft time 146, bytes 0, enckey len=16 [3d6991e6a0f888d240c8d539a54676a7], authkey len=32 [bbac69f722297906c11d7d9038248ba3b509519a0e1e37bb0652752130c8324c] Next, go to Wireshark > Edit > Preferences > Protocols > ESP Decryption and select “Attempt to detect/decode encrypted ESP payloads”:
Then edit the ESP SAs.
After that you will see the ESP packets decrypted.
3
(/t5/kudos/messagepage/board-id/Management-TKB/message-id/4236/tab/all-users)
Article Options Hide Comment
Comments by mbavishi (/t5/user/viewprofilepage/user-id/967) 08-21-2017 04:30 AM - edited 08-21-2017 04:32 AM Super document !I was looking for a way to decrypt ESP packets for quite a time and here it is ! Thanks for sharing. Also to check the decrypted ike packets ikemgr pcap is useful. It shows packets in clear text for both phase 1 and phase 2. If we are just troubleshooting VPN and not traffic ikemgr pcap is good enough.
Permalink (/t5/Management-Articles/How-to-Decrypt-IKE-and-ESP-Packets-
0
on-a-Palo-Alto-Networks/tac-p/172381#M4561)
14/12/2017 11:06
How to Decrypt IKE and ESP Packets on a Palo Alto Networks Device
3 de 3
(http://www.paloaltonetworks.com)
https://live.paloaltonetworks.com/t5/Management-Articles/How-to-De...
Latest Blogs
Events
There is still time to register for the Spark User Summit in Boston on December 15! (https://live.paloaltonetworks.com/t5/Community-Blog/There-is-still-time-to-register-for-theSpark-User-Summit-in/ba-p/191583)
FedIgnite 2017 is just around the corner! (https://live.paloaltonetworks.com/t5/IgniteBlog/FedIgnite-2017-is-just-around-the-corner/ba-p/182427)
Connect
It is not too late to register for Palo ...
Network with fellow Palo Alto Networks u...
LiveWeek 8 Dec 2017 (https://live.paloaltonetworks.com/t5/Community-Blog/LiveWeek8-Dec-2017/ba-p/189561)
Community team giving away goodies at Ignite '17 (https://live.paloaltonetworks.com /t5/Ignite-Blog/Community-team-giving-away-goodies-at-Ignite-17/ba-p/161289) In the true spirit of community, contrib...
(https://www.linkedin.com (https://www.youtube.com /company /channel (http://www.slideshare.net /palo(https://twitter.com (https://www.facebook.com /UCPRouchFt58TZnjoI65aelA) /PALiveCommunity) /PaloAltoNetworks) alto-networks) /PaloAltoNetworks)
Busy admins all making changes to the fi...
DotW: Autolock (https://live.paloaltonetworks.com/t5/Community-Blog/DotW-Autolock /ba-p/190333)
Chillin' at the Exclusive LiveLounge (https://live.paloaltonetworks.com/t5/Ignite-Blog/Chillinat-the-Exclusive-LiveLounge/ba-p/161210) Everyone having an awesome time at the L...
Several admins making changes at the sam...
Copyright 2007 - 2017 - Palo Alto Networks
Privacy Policy (https://www.paloaltonetworks.com/legal/privacy.html)
Terms of Use (/t5/user/UserTermsOfServicePage) (http://www.lithium.com/brandnation)
14/12/2017 11:06