What is inside those ESP packet|S

pic1

Say that you have an IPSEC Between 2 Palo Alto devices (or at least 1) and you want to know what is inside those ESP Packets.

you could capture Protocol 50

esp-pic2

To get the keys you will need to raise the dump level: debug ike global on dump

Send some traffic over the VPN Tunnel, and you will see in the IKEmgr the Encryption Key and the Authentication key used on that SPI

esp-pic3

see in the image above the first packet (1) as ESP

make sure the SPI value set-in Wireshark is in LOWER case

After Wireshark decrypts it, we can see that ICMP traffic was sent out via the tunnel interface encapsulated on ESP, and that an ICMP message as the payload timing out

esp-pic4

singature

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s