Troubleshooting VPN connection with Wireshark by decrypting IPSec packets

asked 2020-03-29 10:48:02 +0000

Fedoras gravatar image

I'm having troubling establishing a VPN connection to a specific network and I'm not the only one having issues. As per their instructions, I'm using the standard VPN client built in windows with pre-shared key and username/password. After excluding all the usual stuff like checking for typos, rebooting related hardware, different firewalls, simple testing tools like nmap, etcetera I've turned to analyzing the packet traffic itself using wireshark. From the below screenshot, it would appear that a connection is successfully established including authentication, and VPN traffic ensues. However, within half a second, the connection is terminated again. The connection is based on IKEv1 and to get an understanding of what the different packets stand for this page here was very helpful here: Understanding IPSec IKEv1 negotiation on Wireshark

VPN packages in Wireshark

Now since the connection naturally is encrypted, I cannot directly read the packages as to get any idea of what goes wrong. Fortunately, it does appear that WireShark supports ESP Payload Decryption as long as one has access to all necessary information. So I went ahead and created an ESP SA entry by writing the following values:

  • Protocol: IPv4
  • Src IP: My local IP as indicated by Wireshark
  • Dest IP: The VPN server IP as indicated by Wireshark
  • SPI: *
  • Encryption: AES-CBC
  • Encryption Key: the encryption key
  • Authentication: HMAC-SHA-384-192

Authentication key

However, I'm unsure what the authentication key could be, as to finalize the decryption setuo. Also, I wouldn't I also need to add an entry to the ISAKMP's IKEv1 decryption table too? I'm not sure how to get a hold of the COOKIE and Encryption Key for that in my Windows environment, however.

This is not in my field of solid expertise, so I may have missed something, and if anyone could help me in the right direction, it would be highly appreciated!

edit retag flag offensive close merge delete


can you please send me the Pcap of this ?

thinker gravatar imagethinker ( 2023-02-27 14:33:04 +0000 )edit