[strongSwan] How to find encryption key for ikev1

Thomas Egerer hakke_007 at gmx.de
Thu Jul 16 14:03:42 CEST 2020 

Hi Yogesh,

you should familiarize yourself with the fundamental concepts
behind IKE before asking questions. Don't blindly follow an
outdated online tutorial. Use the save-keys plugin that's
easiest and the documentation is up-to-date.
btw. your keysize depends on the negotiated crypto algorithm
using the IV instead will decrypt you nothing.

Thomas

On 7/16/20 1:44 PM, Yogesh Purohit wrote:
> Hi Thomas,
>
> Thanks for the update.
> Yes I have enabled log level as 4 for ike in strongswan.conf with enc as 3.
> ike = 4
> enc = 3  
>
> I am seeing a lot of logs in the log file but I am not sure which one is the encryption key. As per the link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets  it should be of 16 bytes.
> But none of them is of 16 bytes.
>
> SKEYID => 20 bytes @ 0x7a33d40047d0
>    0: AE C9 8E BB 0D 18 4B 39 84 E2 6C 4D E6 B9 E8 C1  ......K9..lM....
>   16: F7 AD 59 FC                                      ..Y.
> SKEYID_d => 20 bytes @ 0x7a33d40047b0
>    0: 8B F3 BF C2 4A 62 B0 F9 08 E8 C1 20 84 FA 12 4B  ....Jb..... ...K
>   16: 2E 64 57 CE                                      .dW.
> SKEYID_a => 20 bytes @ 0x7a33d4005760
>    0: 2B 89 D8 AD 2F C3 08 F1 8D FA 4E 17 B6 30 DE C1  +.../.....N..0..
>   16: AD 5A B6 AB                                      .Z..
> SKEYID_e => 20 bytes @ 0x7a33d4003c30
>    0: 33 B4 1A 7A 3C 36 C5 9A 6B 6F 77 0A 5D 46 13 8A  3..z<6..kow.]F..
>   16: C4 77 89 1B                                      .w..
> encryption key Ka => 32 bytes @ 0x7a33c000c320
>    0: 21 82 8C 59 BC 06 3C 92 58 E6 7E AB D6 0A 85 9F  !..Y..<.X.~.....
>   16: 3E 74 20 54 5F E6 92 46 75 A6 76 E8 E1 96 96 B3  >t T_..Fu.v.....
>
> Only this I see as 16 bytes:
>
> initial IV => 16 bytes @ 0x7a33d4003c30
>    0: 7A 5A F1 F8 DA EA 50 C1 D3 83 0E DC A1 C5 A0 8F  zZ....P.........
>
> So either encryption key is 32 bytes in the versions which uses charon daemon instead of pluto ? Please do let me know if my assumption is correct or I am looking in the wrong place.
>
> Since I am using an older version of Strongswan hence I am not sure about the save-keys plugin.
>
>
>
> Thanks
>
>
> On Thu, Jul 16, 2020 at 4:42 PM Thomas Egerer <hakke_007 at gmx.de <mailto:hakke_007 at gmx.de>> wrote:
>
>     Hi Yogesh,
>
>     the loglevel 3 will never reveal any keys to you. You'd need
>     to enable loglevel 4. An easier way is to use the save-keys
>     plugin. It even creates the appropriate output files to use
>     in wireshark. See [1] how to enable and configure it.
>
>     Thomas
>
>     [1] https://wiki.strongswan.org/issues/3258
>
>     On 7/16/20 7:02 AM, Yogesh Purohit wrote:
>     > Hi,
>     >
>     > I was intending to decrypt isakmp packets for ike version 1 using wireshark.
>     > In wireshark it needs the Initiator cookie and encryption key to decrypt the packets.
>     >
>     > I have enabled debug logs by adding: enc = 3 in strongswan.conf file.
>     > I followed this link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets 
>     > But this was used when strongswan used Pluto daemon but now Charon is being used. 
>     >
>     > So how to identify the initiator cookie and encryption key from logs for ike version 1.
>     >
>     > Thanks  
>     >
>     > --
>     > Best Regards,
>     >
>     > Yogesh Purohit
>
>
>
> --
> Best Regards,
>
> Yogesh Purohit

More information about the Users mailing list