SRX Services Gateway
Highlighted
SRX Services Gateway

Decrypting IKEv2 Messages on SRX

‎07-28-2019 09:58 PM

Hello all,

I'm currently looking over the SRX IPsec implementation and I would like to decrypt IKEv2 messages in Wireshark.

Capture.PNG

The IPsec tunnel is between a S1 and S2. IKE and IPsec SA are up and running and traffic is passing through the tunnel.

S1> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
7498771 UP     b4d9ce6222a6920a  3a54d5f261ddc3af  IKEv2          10.10.34.4

S1> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha256 87657884 3564/ unlim - root 500 10.10.34.4
  >131073 ESP:aes-cbc-256/sha256 45240bf9 3564/ unlim - root 500 10.10.34.4

root> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
6859795 UP     b4d9ce6222a6920a  3a54d5f261ddc3af  IKEv2          10.10.23.2

root> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <131073 ESP:aes-cbc-256/sha256 45240bf9 3513/ unlim - root 500 10.10.23.2
  >131073 ESP:aes-cbc-256/sha256 87657884 3513/ unlim - root 500 10.10.23.2

Now what I'm trying to do is decrypt the IKEv2 packets in Wireshark. 

 

Capture2.PNG

Getting the Initiator&Responder SPI's, encryption and integrity algorithms is easy enough. 

 

How can I get the SK_ei, SK_er, SK_ai and SK_ar values ?

6 REPLIES 6
SRX Services Gateway

Re: Decrypting IKEv2 Messages on SRX

‎07-29-2019 10:00 PM

Bump.

Is there anyway to find the key information ? I tried enabling traceoptions on the SRX but that didn't help. Is there some logfile or anything where the encryption and auth keys are stored ?

SRX Services Gateway

Re: Decrypting IKEv2 Messages on SRX

‎07-29-2019 10:14 PM

Unfortunately, there is no way to find the SK_ei, SK_er, SK_ai and SK_ar keys in SRX. These keys can not be retrieved by using traceoptions/ike debug command. 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Decrypting IKEv2 Messages on SRX

‎07-29-2019 11:37 PM

Bummer

SRX Services Gateway

Re: Decrypting IKEv2 Messages on SRX

‎07-30-2019 03:45 AM

Hello,

If Your other side is Strongswan, You can dump them in the log there

https://dev.strongswan.narkive.com/zEytkoA2/strongswan-dev-how-to-dump-the-sk-ei-sk-er-sk-ai-sk-ar-o...

HTH

Thx
Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: Decrypting IKEv2 Messages on SRX

‎08-01-2019 05:42 AM

Is there anyway I can force IKE_SA_INIT to negotiate null encryption so I can see the IKE_AUTH messages in wireshark in cleartext. I know you can do this for ESP by omitting the encryption algorithm statement. I tried doing it for IKE_SA_INIT in the ike proposal stanza but it didn't work.

SRX Services Gateway

Re: Decrypting IKEv2 Messages on SRX

‎08-01-2019 07:45 AM

There is no way to do that in SRX. If it is for learning purpose, I would suggest setup StrongSwan VPN on other end as Alex suggested. I attached ikev2 decrypted packets (IKE_SA_INIT and IKE_AUTH) in text format for your reference.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Attachments