?
Solved

Need to Decrypt ISAKMP Traffic with Wireshark

Posted on 2011-03-03
2
Medium Priority
?
2,188 Views
Last Modified: 2012-05-11
We upgraded to Sonicwall firmware 5.5.1.3 this past Sunday.  Since then we have 5 out of 13 site-to-site tunnels that consistently generate "Payload processing failed" errors every 10 minutes. The tunnels are up and work fine but we are flooded with these alerts.  Sonicwall has told me more alerts are to be expected with the new firmware. I have discovered that "Dead Peer Detection" in the Sonicall is generating these alerts. DPD is configured to check every 600 seconds. When DPD is disabled they stop. I cannot see the ISAKMP exchanges since they are encrypted. What I want to do is generate a packet capture in the Soncwall and then use Wireshark to see the ISAKMP exchanges when DPD occurs and try to see what differences exist between tunnels that alert and tunnels that do not.  Wireshark asks for a "pluto log file" in the "ISAKMP" section. I am the firewall admin and know all details about the site-to-site tunnels, e.g. shared secrets, encyption used, etc. Can anyone tell me if it is possible to decrypt ISAKMP data in Wireshark so I can see the exchange when DPD occurs?
0
Comment
Question by:adoughe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 1500 total points
ID: 35029531
i've never had to do that, but if one had the phase configurations along with the key, it appears it's possible. see the link below.

http://wiki.wireshark.org/ESP_Preferences
0
 
LVL 1

Author Closing Comment

by:adoughe
ID: 35236412
I did not consider this a complete answer to my question.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question