[strongSwan] How to find encryption key for ikev1
hakke_007 at gmx.de
Thu Jul 16 14:03:42 CEST 2020
you should familiarize yourself with the fundamental concepts
behind IKE before asking questions. Don't blindly follow an
outdated online tutorial. Use the save-keys plugin that's
easiest and the documentation is up-to-date.
btw. your keysize depends on the negotiated crypto algorithm
using the IV instead will decrypt you nothing.
On 7/16/20 1:44 PM, Yogesh Purohit wrote:
> Hi Thomas,
> Thanks for the update.
> Yes I have enabled log level as 4 for ike in strongswan.conf with enc as 3.
> ike = 4
> enc = 3
> I am seeing a lot of logs in the log file but I am not sure which one is the encryption key. As per the link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets it should be of 16 bytes.
> But none of them is of 16 bytes.
> SKEYID => 20 bytes @ 0x7a33d40047d0
> 0: AE C9 8E BB 0D 18 4B 39 84 E2 6C 4D E6 B9 E8 C1 ......K9..lM....
> 16: F7 AD 59 FC ..Y.
> SKEYID_d => 20 bytes @ 0x7a33d40047b0
> 0: 8B F3 BF C2 4A 62 B0 F9 08 E8 C1 20 84 FA 12 4B ....Jb..... ...K
> 16: 2E 64 57 CE .dW.
> SKEYID_a => 20 bytes @ 0x7a33d4005760
> 0: 2B 89 D8 AD 2F C3 08 F1 8D FA 4E 17 B6 30 DE C1 +.../.....N..0..
> 16: AD 5A B6 AB .Z..
> SKEYID_e => 20 bytes @ 0x7a33d4003c30
> 0: 33 B4 1A 7A 3C 36 C5 9A 6B 6F 77 0A 5D 46 13 8A 3..z<6..kow.]F..
> 16: C4 77 89 1B .w..
> encryption key Ka => 32 bytes @ 0x7a33c000c320
> 0: 21 82 8C 59 BC 06 3C 92 58 E6 7E AB D6 0A 85 9F !..Y..<.X.~.....
> 16: 3E 74 20 54 5F E6 92 46 75 A6 76 E8 E1 96 96 B3 >t T_..Fu.v.....
> Only this I see as 16 bytes:
> initial IV => 16 bytes @ 0x7a33d4003c30
> 0: 7A 5A F1 F8 DA EA 50 C1 D3 83 0E DC A1 C5 A0 8F zZ....P.........
> So either encryption key is 32 bytes in the versions which uses charon daemon instead of pluto ? Please do let me know if my assumption is correct or I am looking in the wrong place.
> Since I am using an older version of Strongswan hence I am not sure about the save-keys plugin.
> On Thu, Jul 16, 2020 at 4:42 PM Thomas Egerer <hakke_007 at gmx.de <mailto:hakke_007 at gmx.de>> wrote:
> Hi Yogesh,
> the loglevel 3 will never reveal any keys to you. You'd need
> to enable loglevel 4. An easier way is to use the save-keys
> plugin. It even creates the appropriate output files to use
> in wireshark. See  how to enable and configure it.
>  https://wiki.strongswan.org/issues/3258
> On 7/16/20 7:02 AM, Yogesh Purohit wrote:
> > Hi,
> > I was intending to decrypt isakmp packets for ike version 1 using wireshark.
> > In wireshark it needs the Initiator cookie and encryption key to decrypt the packets.
> > I have enabled debug logs by adding: enc = 3 in strongswan.conf file.
> > I followed this link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets
> > But this was used when strongswan used Pluto daemon but now Charon is being used.
> > So how to identify the initiator cookie and encryption key from logs for ike version 1.
> > Thanks
> > --
> > Best Regards,
> > Yogesh Purohit
> Best Regards,
> Yogesh Purohit
More information about the Users