Solved

Need to Decrypt ISAKMP Traffic with Wireshark

Posted on 2011-03-03
2
2,069 Views
Last Modified: 2012-05-11
We upgraded to Sonicwall firmware 5.5.1.3 this past Sunday.  Since then we have 5 out of 13 site-to-site tunnels that consistently generate "Payload processing failed" errors every 10 minutes. The tunnels are up and work fine but we are flooded with these alerts.  Sonicwall has told me more alerts are to be expected with the new firmware. I have discovered that "Dead Peer Detection" in the Sonicall is generating these alerts. DPD is configured to check every 600 seconds. When DPD is disabled they stop. I cannot see the ISAKMP exchanges since they are encrypted. What I want to do is generate a packet capture in the Soncwall and then use Wireshark to see the ISAKMP exchanges when DPD occurs and try to see what differences exist between tunnels that alert and tunnels that do not.  Wireshark asks for a "pluto log file" in the "ISAKMP" section. I am the firewall admin and know all details about the site-to-site tunnels, e.g. shared secrets, encyption used, etc. Can anyone tell me if it is possible to decrypt ISAKMP data in Wireshark so I can see the exchange when DPD occurs?
0
Comment
Question by:adoughe
2 Comments
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 35029531
i've never had to do that, but if one had the phase configurations along with the key, it appears it's possible. see the link below.

http://wiki.wireshark.org/ESP_Preferences
0
 
LVL 1

Author Closing Comment

by:adoughe
ID: 35236412
I did not consider this a complete answer to my question.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
What is the Router Login page for Comcast? 10.0.0.1? 7 127
ASA AnyConnect tunneling 3 36
HELP!  Encrypted data on client's laptop 8 68
AnyConnect VPN - No LAN access 1 32
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question