[strongSwan] how to find initiator cookie in packet dump
Mirko Parthey
mirko.parthey at web.de
Fri Nov 16 21:27:26 CET 2018
On Thu, Nov 08, 2018 at 10:47:18AM +0530, Yogesh Purohit wrote:
> I was trying to decrypt IKEv1 packets using wireshark 2.6.
> For decryption of Ikev1 one needs Initiator cookie and encryption key. I have
> enabled log level for ike = 4 in strongswan.conf.
>
> I can see complete dump in log files, where I could find encryption key.
>
> But I was unable to find initiator cookie without which I am unable to decrypt
> the packet.
>
> I am using strongswan version 5.5.2.
tcpdump -vv shows the cookies.
In both wireshark and charon, the cookies are called "SPI".
With an IKE capture file loaded into wireshark, they are shown as ISAKMP
Initiator/Responder SPI in the packet dissection pane.
To make charon log them, set the loglevel "enc = 3".
The cookies are labeled as "IKE_SPI" in the logfile.
The first IKE_SPI is the initiator cookie, and the second is the responder
cookie; this is independent of who sent the message.
For example, the following was logged by an IKEv1 initiator
(without the comments):
# message sent by the initiator (3rd message of Main Mode):
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[ENC] not encrypting payloads
[ENC] generating payload of type HEADER
[ENC] generating rule 0 IKE_SPI
[ENC] => 8 bytes @ 0x7f5a20003f68
[ENC] 0: E7 91 90 11 9E 1D 31 8B # Initiator Cookie
[ENC] generating rule 1 IKE_SPI
[ENC] => 8 bytes @ 0x7f5a20003f70
[ENC] 0: B6 4B 3B B0 22 CB 9E 86 # Responder Cookie
# message received from the responder (4th message of Main Mode)
[ENC] parsing rule 0 IKE_SPI
[ENC] => 8 bytes @ 0x7f5a300019d8
[ENC] 0: E7 91 90 11 9E 1D 31 8B # Initiator Cookie
[ENC] parsing rule 1 IKE_SPI
[ENC] => 8 bytes @ 0x7f5a300019e0
[ENC] 0: B6 4B 3B B0 22 CB 9E 86 # Responder Cookie
Regards
Mirko
More information about the Users
mailing list