Hi Thomas, Thanks for the update. Yes I have enabled log level as 4 for ike in strongswan.conf with enc as 3. ike = 4 enc = 3
I am seeing a lot of logs in the log file but I am not sure which one is the encryption key. As per the link https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets it should be of 16 bytes. But none of them is of 16 bytes. SKEYID => 20 bytes @ 0x7a33d40047d0 0: AE C9 8E BB 0D 18 4B 39 84 E2 6C 4D E6 B9 E8 C1 ......K9..lM.... 16: F7 AD 59 FC ..Y. SKEYID_d => 20 bytes @ 0x7a33d40047b0 0: 8B F3 BF C2 4A 62 B0 F9 08 E8 C1 20 84 FA 12 4B ....Jb..... ...K 16: 2E 64 57 CE .dW. SKEYID_a => 20 bytes @ 0x7a33d4005760 0: 2B 89 D8 AD 2F C3 08 F1 8D FA 4E 17 B6 30 DE C1 +.../.....N..0.. 16: AD 5A B6 AB .Z.. SKEYID_e => 20 bytes @ 0x7a33d4003c30 0: 33 B4 1A 7A 3C 36 C5 9A 6B 6F 77 0A 5D 46 13 8A 3..z<6..kow.]F.. 16: C4 77 89 1B .w.. encryption key Ka => 32 bytes @ 0x7a33c000c320 0: 21 82 8C 59 BC 06 3C 92 58 E6 7E AB D6 0A 85 9F !..Y..<.X.~..... 16: 3E 74 20 54 5F E6 92 46 75 A6 76 E8 E1 96 96 B3 >t T_..Fu.v..... Only this I see as 16 bytes: initial IV => 16 bytes @ 0x7a33d4003c30 0: 7A 5A F1 F8 DA EA 50 C1 D3 83 0E DC A1 C5 A0 8F zZ....P......... So either encryption key is 32 bytes in the versions which uses charon daemon instead of pluto ? Please do let me know if my assumption is correct or I am looking in the wrong place. Since I am using an older version of Strongswan hence I am not sure about the save-keys plugin. Thanks On Thu, Jul 16, 2020 at 4:42 PM Thomas Egerer <hakke_...@gmx.de> wrote: > Hi Yogesh, > > the loglevel 3 will never reveal any keys to you. You'd need > to enable loglevel 4. An easier way is to use the save-keys > plugin. It even creates the appropriate output files to use > in wireshark. See [1] how to enable and configure it. > > Thomas > > [1] https://wiki.strongswan.org/issues/3258 > > On 7/16/20 7:02 AM, Yogesh Purohit wrote: > > Hi, > > > > I was intending to decrypt isakmp packets for ike version 1 using > wireshark. > > In wireshark it needs the Initiator cookie and encryption key to decrypt > the packets. > > > > I have enabled debug logs by adding: enc = 3 in strongswan.conf file. > > I followed this link > https://osqa-ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets > > > But this was used when strongswan used Pluto daemon but now Charon is > being used. > > > > So how to identify the initiator cookie and encryption key from logs for > ike version 1. > > > > Thanks > > > > -- > > Best Regards, > > > > Yogesh Purohit > > -- Best Regards, Yogesh Purohit
