Understanding the Identity Protection phase of the ISAKMP Exchange

asked 2020-03-25 21:17:11 +0000

Stuart Kendrick gravatar image

I want to better understand the Identity Protection portion of Phase 1 of the (6) frame ISAKMP Exchange

Per the model offered at Network Lessons (https://networklessons.com/cisco/ccie...), the first step in Phase 1 is the Negotiation step, in which the two sides agree on things like a Hashing Algorithm and Key Lifetime. The second step involves determining the strength of the key to be used: picking a Diffie-Hellman group. And the third step involves Authentication: demonstrating to each other that we are who we claim to be.

I believe that the particular conversation I'm debugging succeeds at Step 1 and Step 2 but fails in Step 3. So i want to examine this step in more detail. Regrettably, the protocol exchange in this step is encrypted. I have a model for what this protocol exchange looks like (https://devcentral.f5.com/s/articles/...), but I want to see the specifics of this conversation's exchange. So I am turning to Wireshark's ability to decrypt ISAKMP IKEv1 frames, given the Initiator's Cookie and Encryption Key, as described in https://osqa-ask.wireshark.org/questi...

In Wireshark, I have follows the path: Preferences... Protocols... ISAKMP... IKEv1 Decryption Table... Edit... +... and entered the Initiator's SPI in the "Initiator's COOKIE" field. In the Encryption Field, I tried entering a hex version of the Pre-Shared Key, but that didn't work: the "Encrypted Data" portion of the 5th Frame (the beginning of the Authentication exchange) remains encrypted.

I have a suspicion that Wireshark doesn't want the actual Pre-Shared Key here; rather, I have a suspicion that it wants a derivative of the PSK, produced by the Initiator and stored on the Initiator.

Question #1: I have a Windows 10 Client: would anyone know how to extract the Encryption Key (derived from the PSK) from the Windows 10 Client?

Question #2: Would anyone have suggestions for further reading (education) about how the first (6) frames of the ISAKMP exchange works, in addition to the ones I reference above?

Question #3: Would anyone have suggestions around what might be failing in this particular conversation? I post the pcap to CloudShark -- see Comments & Annotations for my analysis thus far: https://www.cloudshark.org/captures/f...


edit retag flag offensive close merge delete