Wireshark-users: Re: [Wireshark-users] Cant decrypt ESP payload

From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Tue, 25 Jul 2006 07:55:48 +0200
On Tue, Jul 25, 2006 at 02:43:15PM +0900, ?$B%^%7%9!&%6%C%+%j!< wrote:
> Has anybody have any success decrypting ESP payloads with wireshark or
> tcpdump?
> I am trying to decrypt some ping packets (attached) that has been
> encrypted with 3DES/SHA1 with the PSK being "hello". I get an error in
> my terminal that says "ESP Preferences: Error in encryption algorithm
> 3des-cbc: Bad Keylen <40 bits>" 
> From what i can tell, i only know my PSK so im not sure what wireshark
> is expecting for my encryption key/authentication key. I tried it in
> tcpdump as well with no luck.

What you are trying to do doesn't work that way - and it *hopefully*
never will, because otherwise it would mean that ipsec is broken!

<SIMPLIFY>
IPSEC has two phases:
The first is used for setting up a secure connection for *management*
purposes, the second phase is used to actually encrypt data packets.
ESP is a phase two proto whose keys are negotiated using the phase 1
stuff.
So what is done in phase 1? 1st an encrypted tunnel is set up. After
that, the tunnel endpoints *authenticate* to each other, using (in your
case) the pre shared key. The authentication is a protection from man in
the middle attacks, not much more.
</SIMPLIFY>

Ciao
      Joerg
-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.