<div dir="ltr">Hi Thomas,<div><br></div><div>Thanks for the update.</div><div>Yes I have enabled log level as 4 for ike in strongswan.conf with enc as 3.</div><div><span style="color:rgb(51,51,51);font-family:monospace;font-size:13px;white-space:pre-wrap">ike = 4 </span><br style="color:rgb(51,51,51);font-family:monospace;font-size:13px;white-space:pre-wrap"><span style="color:rgb(51,51,51);font-family:monospace;font-size:13px;white-space:pre-wrap">enc = 3</span> <br></div><div><br></div><div>I am seeing a lot of logs in the log file but I am not sure which one is the encryption key. As per the link <a href="https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets" target="_blank">https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets</a> it should be of 16 bytes.</div><div>But none of them is of 16 bytes.</div><div><br></div><div>SKEYID => 20 bytes @ 0x7a33d40047d0<br> 0: AE C9 8E BB 0D 18 4B 39 84 E2 6C 4D E6 B9 E8 C1 ......K9..lM....<br> 16: F7 AD 59 FC ..Y.<br>SKEYID_d => 20 bytes @ 0x7a33d40047b0<br> 0: 8B F3 BF C2 4A 62 B0 F9 08 E8 C1 20 84 FA 12 4B ....Jb..... ...K<br> 16: 2E 64 57 CE .dW.<br>SKEYID_a => 20 bytes @ 0x7a33d4005760<br> 0: 2B 89 D8 AD 2F C3 08 F1 8D FA 4E 17 B6 30 DE C1 +.../.....N..0..<br> 16: AD 5A B6 AB .Z..<br>SKEYID_e => 20 bytes @ 0x7a33d4003c30<br> 0: 33 B4 1A 7A 3C 36 C5 9A 6B 6F 77 0A 5D 46 13 8A 3..z<6..kow.]F..<br> 16: C4 77 89 1B .w..<br>encryption key Ka => 32 bytes @ 0x7a33c000c320<br> 0: 21 82 8C 59 BC 06 3C 92 58 E6 7E AB D6 0A 85 9F !..Y..<.X.~.....<br> 16: 3E 74 20 54 5F E6 92 46 75 A6 76 E8 E1 96 96 B3 >t T_..Fu.v.....<br></div><div><br></div><div>Only this I see as 16 bytes:</div><div><br></div><div>initial IV => 16 bytes @ 0x7a33d4003c30<br> 0: 7A 5A F1 F8 DA EA 50 C1 D3 83 0E DC A1 C5 A0 8F zZ....P.........<br></div><div><br></div><div>So either encryption key is 32 bytes in the versions which uses charon daemon instead of pluto ? Please do let me know if my assumption is correct or I am looking in the wrong place.</div><div><br></div><div>Since I am using an older version of Strongswan hence I am not sure about the save-keys plugin.</div><div><br></div><div><br></div><div><br></div><div>Thanks</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jul 16, 2020 at 4:42 PM Thomas Egerer <<a href="mailto:hakke_007@gmx.de">hakke_007@gmx.de</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Yogesh,<br>
<br>
the loglevel 3 will never reveal any keys to you. You'd need<br>
to enable loglevel 4. An easier way is to use the save-keys<br>
plugin. It even creates the appropriate output files to use<br>
in wireshark. See [1] how to enable and configure it.<br>
<br>
Thomas<br>
<br>
[1] <a href="https://wiki.strongswan.org/issues/3258" rel="noreferrer" target="_blank">https://wiki.strongswan.org/issues/3258</a><br>
<br>
On 7/16/20 7:02 AM, Yogesh Purohit wrote:<br>
> Hi,<br>
><br>
> I was intending to decrypt isakmp packets for ike version 1 using wireshark.<br>
> In wireshark it needs the Initiator cookie and encryption key to decrypt the packets.<br>
><br>
> I have enabled debug logs by adding: enc = 3 in strongswan.conf file.<br>
> I followed this link <a href="https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets" rel="noreferrer" target="_blank">https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets</a> <br>
> But this was used when strongswan used Pluto daemon but now Charon is being used. <br>
><br>
> So how to identify the initiator cookie and encryption key from logs for ike version 1.<br>
><br>
> Thanks <br>
><br>
> --<br>
> Best Regards,<br>
><br>
> Yogesh Purohit<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr">Best Regards,<div><br></div><div>Yogesh Purohit</div></div></div>