SRX Services Gateway
SRX Services Gateway

How to find the authentication and encryption keys of an IKE based IPSec VPN in SRX ?

‎06-03-2012 10:47 PM

Hi ,

 

Just wanted to check if there is any way we get the authentication and encryption keys generated as part of IKE , so that we can use those keys in the protocol analyzers like Wireshark to decrypt the ESP traffic and confirm the original plain text traffic(for testing purposes only) .

 

any commands to get the keys on SRX ?

 

Thanks in advance !

Regards,
Pradeep 2xJNCIE(SEC/ENT)
4 REPLIES 4
SRX Services Gateway

Re: How to find the authentication and encryption keys of an IKE based IPSec VPN in SRX ?

‎08-14-2014 09:40 PM

bump on this.

 

Pradeep did you ever find a way to get the keys?

SRX Services Gateway

Re: How to find the authentication and encryption keys of an IKE based IPSec VPN in SRX ?

‎08-15-2014 08:58 AM

Hello,

To decrypt locally any JUNOS passwords starting with $9$ You can use Perl module

http://search.cpan.org/~kbrint/Crypt-Juniper-0.02/lib/Crypt/Juniper.pm 

If You are really impatient, You can go to http://password-decrypt.com but beware that Your password can be added to someone's brute-force attack dictionary.

HTH

Thanks
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: How to find the authentication and encryption keys of an IKE based IPSec VPN in SRX ?

‎08-16-2014 08:25 PM

Hi Pradeep,

 

I have seen the authentication keys and encryptions keys in the IKE trace files.

 

Note:

 

1.clear kmd logs ( clear log kmd )

2. delete all ike and ipsec traceoptions ( do not deactivate)

 

Kindly enable per tunnel debugging from CLI prompt and check the trace file for Keys generated for VPN encrption and authentication.

 

request security ike debug-enable local x.x.x.x remote y.y.y.y level 15

 

x.x.x.x and y.y.y.y are vpn peer ip addresses.

 

Regards
rparthi
 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

SRX Services Gateway

Re: How to find the authentication and encryption keys of an IKE based IPSec VPN in SRX ?

‎08-31-2019 06:17 PM

Hello,

Sorry to bring up and old thread from years back, but I'm interesed in this topic. (see also this https://forums.juniper.net/t5/SRX-Services-Gateway/Decrypting-IKEv2-Messages-on-SRX/m-p/465954#M5422...)

 

Can you be more specific ? After I enable per tunnel debugging, which logs should I check for the keys ?