ipsec ISAKMP ikev1 decryption for AES

asked 2017-11-09 04:12:33 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Hi,

I need to decrypt the informational ISAKMP packets sent out after the tunnel is established and running. the final encryption key and the SPI initiator obtained from racoon logs is not decrypting them.

I am able to decrypt the packets ISAKMP fresh packets after a tunnel restart with new set of keys. But for already established state is not working. I have the final encryption key after this initiator SPI is created and it still doesn't work packets generated in an already established tunnel. Is the encryption of these packets any different from those in initial setup phase.

Are these ISAKMP informational packets encrypted with any other key than the final encryption key. ??

below is the packet.

packet time is 10:55:05

Internet Security Association and Key Management Protocol
    Initiator SPI: fa6da399e305c587
    Responder SPI: baacfff839c8277f
    Next payload: Hash (8)
    Version: 1.0
    Exchange type: Informational (5)
    Flags: 0x01
    Message ID: 0xfb388c6f
    Length: 92
    Encrypted Data (64 bytes)

tunnel keys and time line

10:16:52 server45-02 racoon: DEBUG: final encryption key computed:62f2c836 8cc71da8 bd5e4d7f 890be863 57ab991e a733a808 d590cdf3 7cf7ed70
10:16:52 server45-02 racoon: INFO: ISAKMP-SA established 23.10.1.8[500]-85.16.71.13[500] spi:fa6da399e305c587:baacfff839c8277f
10:16:52 server45-02 racoon: INFO: IPsec-SA established: ESP/Tunnel 85.16.71.13[0]->23.10.1.8[0] spi=82208760(0x4e667f8)
10:16:52 server45-02 racoon: INFO: IPsec-SA established: ESP/Tunnel 23.101.1.8[500]->85.16.71.13[500] spi=134335878(0x801cd86)

10:55:02 ISAKMP packets encrypted informational

11:16:52 server45-02 racoon: INFO: ISAKMP-SA expired 23.10.1.8[500]-85.16.71.13[500] spi:fa6da399e305c587:baacfff839c8277f
edit retag flag offensive close merge delete