This is a capture I did from a StrongSwan net-to-net IPsec VPN I setup for testing.
Packet capture :
pkt capture link
Phase 1 main mode - IKEv1
Initiator cookie : 751b83775c20d140
Encryption key : d38c64bef9facf441f8ad9080e2bb157
Phase 2 quick mode
Src IP : 172.16.1.70
Dest IP : 172.16.1.71
SPI : 0xc04af751
Encryption : AES-CBC
Encryption key : 0x7c60aad1e87addb04ce8030de87c95aa
Authentication : HMAC-SHA-1
Authentication key : 0x7d46f88c672d660d7a36d5a1a756f4e10ba6c29d
Src IP : 172.16.1.71
Dest IP : 172.16.1.71
SPI : 0xce38569e
Encryption : AES-CBC
Encryption key : 0x9b6eeff11d56d9e7e658d9b09c78d19a
Authentication : HMAC-SHA-1
Authentication key : 0x8ff0d9ff940d81198d555e3574e51a6354f9d7f6
If you want to do this your self follow the steps below to capture encryption keys from StrongSwan.
Edit /etc/sysctl.conf and uncomment "net.ipv4.ip_forward=1" to enable routing
enter the command "ipsec up net-net" to start the IPsec tunnel
1) To get the two values to decrypt ISAKMP (IKE phase 1 and 2 )
Initiator cookie : can be found in the first pkt sent.
Edit /etc/ipsec.conf and add debug level 4 for IKE
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4,enc 4"
uniqueids=yes
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=8h
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn net-net
left=172.16.1.70
leftsubnet=10.1.0.0/24
leftid=@moon.strongswan.org
leftfirewall=yes
right=172.16.1.71
rightsubnet=10.2.0.0/24
rightid=@sun.strongswan.org
auto=add
Restart the IPsec session and check /var/log/syslog file for the encryption key
2) To get keys data to decrypt the ESP data payload enter the command "ip xfrm state". You need enter data for the two security association.
root@ubuntu-1-ipsec:/home/ruwanindika# ip xfrm state
src 172.16.1.70 dst 172.16.1.71
proto esp spi 0xc39e664b reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x6cd0b2f0fa5a81642150b059b6333a3919426da7 96
enc cbc(aes) 0x392c130f3fc8b82c7552e12746cfcf36
anti-replay context: seq 0x0, oseq 0x1f8, bitmap 0x00000000
src 172.16.1.71 dst 172.16.1.70
proto esp spi 0xc2709853 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xf9f4ab8729ce3f844f5d59de64ba30b24a99ca92 96
enc cbc(aes) 0x63ce266892721d11301631c504d63979
anti-replay context: seq 0x1f8, oseq 0x0, bitmap 0xffffffff