[strongSwan] How to find encryption key for ikev1

Yogesh Purohit yogeshpurohit2 at gmail.com
Thu Jul 16 13:44:20 CEST 2020 

Hi Thomas,

Thanks for the update.
Yes I have enabled log level as 4 for ike in strongswan.conf with enc as 3.
ike = 4
enc = 3

I am seeing a lot of logs in the log file but I am not sure which one is
the encryption key. As per the link
https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets
it should be of 16 bytes.
But none of them is of 16 bytes.

SKEYID => 20 bytes @ 0x7a33d40047d0
   0: AE C9 8E BB 0D 18 4B 39 84 E2 6C 4D E6 B9 E8 C1  ......K9..lM....
  16: F7 AD 59 FC                                      ..Y.
SKEYID_d => 20 bytes @ 0x7a33d40047b0
   0: 8B F3 BF C2 4A 62 B0 F9 08 E8 C1 20 84 FA 12 4B  ....Jb..... ...K
  16: 2E 64 57 CE                                      .dW.
SKEYID_a => 20 bytes @ 0x7a33d4005760
   0: 2B 89 D8 AD 2F C3 08 F1 8D FA 4E 17 B6 30 DE C1  +.../.....N..0..
  16: AD 5A B6 AB                                      .Z..
SKEYID_e => 20 bytes @ 0x7a33d4003c30
   0: 33 B4 1A 7A 3C 36 C5 9A 6B 6F 77 0A 5D 46 13 8A  3..z<6..kow.]F..
  16: C4 77 89 1B                                      .w..
encryption key Ka => 32 bytes @ 0x7a33c000c320
   0: 21 82 8C 59 BC 06 3C 92 58 E6 7E AB D6 0A 85 9F  !..Y..<.X.~.....
  16: 3E 74 20 54 5F E6 92 46 75 A6 76 E8 E1 96 96 B3  >t T_..Fu.v.....

Only this I see as 16 bytes:

initial IV => 16 bytes @ 0x7a33d4003c30
   0: 7A 5A F1 F8 DA EA 50 C1 D3 83 0E DC A1 C5 A0 8F  zZ....P.........

So either encryption key is 32 bytes in the versions which uses charon
daemon instead of pluto ? Please do let me know if my assumption is correct
or I am looking in the wrong place.

Since I am using an older version of Strongswan hence I am not sure about
the save-keys plugin.



Thanks


On Thu, Jul 16, 2020 at 4:42 PM Thomas Egerer <hakke_007 at gmx.de> wrote:

> Hi Yogesh,
>
> the loglevel 3 will never reveal any keys to you. You'd need
> to enable loglevel 4. An easier way is to use the save-keys
> plugin. It even creates the appropriate output files to use
> in wireshark. See [1] how to enable and configure it.
>
> Thomas
>
> [1] https://wiki.strongswan.org/issues/3258
>
> On 7/16/20 7:02 AM, Yogesh Purohit wrote:
> > Hi,
> >
> > I was intending to decrypt isakmp packets for ike version 1 using
> wireshark.
> > In wireshark it needs the Initiator cookie and encryption key to decrypt
> the packets.
> >
> > I have enabled debug logs by adding: enc = 3 in strongswan.conf file.
> > I followed this link
> https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets
>
> > But this was used when strongswan used Pluto daemon but now Charon is
> being used.
> >
> > So how to identify the initiator cookie and encryption key from logs for
> ike version 1.
> >
> > Thanks
> >
> > --
> > Best Regards,
> >
> > Yogesh Purohit
>
>

-- 
Best Regards,

Yogesh Purohit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200716/e9fa6ea9/attachment.html>

More information about the Users mailing list