Hi everybody. There are a lot of questions regrading L2TP/IPsec troubleshootin and little answers, but i have to try and check for your help. I'm using Wireshark 2.0.1 (v2.0.1-0-g59ea380) that has Gcrypt (1.6.2). I am in control of a VPN router server, with it's WAN static public IP (mu little bussiness store). On another ADSL connection i have my laptop with Windows 10. I create in the VPN Server a L2TP Server for Client-to-LAN:
In my Windows 10 i create a VPN connection and configure:
After this i launch the connection and the tunnel is created. I can reach correctly the devices connected to VPN Server Router. I use Wireshark to capture all the packets directly from my W10 laptop, and i can see clearly the ISAKMP and ESP packets. But i need to check the L2TP connection and for that i have to decrypt the ESP packets. In wireshark i configure the ESP protocol (Edit - Protocols - and choose ESP). At this point i am lost and although i've read many forums and Wikishark, i am not able to decrypt these packets. I am not an expert in Wireshark but have been working with it in order to learn. The following is a screenshot of the ESP configuration:
Many thanks. asked 20 Jun '16, 10:05  Portuguevos |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
although i'm not sure about the encryption and Authentication used by Windows 10. The VPN router also does not specifically inform of what kind of encryption and authentication is used by default. If i'm not correct the Encryptio usualy used is DES or 3DES. And the authentication used in IKE usualy is MD5. I tried some combinations, but there is no change in wireshark, once this configuration is applied. I've introduced in ESP configuration 2 entrances: one for the incoming packets and another for the outgoing packets.
Hi again. I've been following other posts like https://wiki.wireshark.org/ESP_Preferences or http://www.spiceupyourknowledge.net/2012/11/decrypting-esp-packet-using-wireshark.html
I've downlowaded a pcap file with ESP packets, and applied the configuration in ESP configuration and in that example worked. But not in my case, and i have ALL the information. I tried with SPI is HEX, Decimal. The Keys i have are only numbers, and even so i cannot decrypt any of the ESP packets.
Also in order to know ALL information, i've made a VPN tunel with Shrew VPN Client against my VPM router. IKE proposal is using SHA1 Authentication, DES encryption, DH Group DH2, in both ends. IPsec proposal has the SECURITY PROTOCOL: ESP, ESP Authentication: SHA1 and ESP Encryption DES.
The tunel is correctly enabled and i can access the devices.
But again, in Wireshartk -> Preferences -> Protocols ESP, i fill all the information and ESP packets are still not decrypted.
Any idea? Many thanks.
I doubt IKE using Diffie-Hellman is going to work, Wireshark won't have access to the encryption keys from the Pre-shared key only. See for instance https://ask.wireshark.org/questions/21011, which talks about this in the context of TLS
Hi Jaap. Thanks for the information. I'll check this situation. Although for the first case (main text), using only a L2TP VPN connection using microsoft integrated VPN client, DH (Diffie-Helman) is not being used. And even in that situation i cannot decrypt the messages. This second comment was a second test, but did not realize the DH situation. Many thanks.
How are you getting the symmetric key for the DES encryption. I think you need to have the Phase2 symmetric key. DH is as I remember used during the phase1(possibly in ike key exchange)?? Will that even matter if you have phase2 keys?