Need to Decrypt ISAKMP Traffic with Wireshark
Posted on 2011-03-03
We upgraded to Sonicwall firmware 126.96.36.199 this past Sunday. Since then we have 5 out of 13 site-to-site tunnels that consistently generate "Payload processing failed" errors every 10 minutes. The tunnels are up and work fine but we are flooded with these alerts. Sonicwall has told me more alerts are to be expected with the new firmware. I have discovered that "Dead Peer Detection" in the Sonicall is generating these alerts. DPD is configured to check every 600 seconds. When DPD is disabled they stop. I cannot see the ISAKMP exchanges since they are encrypted. What I want to do is generate a packet capture in the Soncwall and then use Wireshark to see the ISAKMP exchanges when DPD occurs and try to see what differences exist between tunnels that alert and tunnels that do not. Wireshark asks for a "pluto log file" in the "ISAKMP" section. I am the firewall admin and know all details about the site-to-site tunnels, e.g. shared secrets, encyption used, etc. Can anyone tell me if it is possible to decrypt ISAKMP data in Wireshark so I can see the exchange when DPD occurs?