On Tue, Jul 25, 2006 at 02:43:15PM +0900, ?$B%^%7%9!&%6%C%+%j!< wrote:
> Has anybody have any success decrypting ESP payloads with wireshark or
> tcpdump?
> I am trying to decrypt some ping packets (attached) that has been
> encrypted with 3DES/SHA1 with the PSK being "hello". I get an error in
> my terminal that says "ESP Preferences: Error in encryption algorithm
> 3des-cbc: Bad Keylen <40 bits>"
> From what i can tell, i only know my PSK so im not sure what wireshark
> is expecting for my encryption key/authentication key. I tried it in
> tcpdump as well with no luck.
What you are trying to do doesn't work that way - and it *hopefully*
never will, because otherwise it would mean that ipsec is broken!
<SIMPLIFY>
IPSEC has two phases:
The first is used for setting up a secure connection for *management*
purposes, the second phase is used to actually encrypt data packets.
ESP is a phase two proto whose keys are negotiated using the phase 1
stuff.
So what is done in phase 1? 1st an encrypted tunnel is set up. After
that, the tunnel endpoints *authenticate* to each other, using (in your
case) the pre shared key. The authentication is a protection from man in
the middle attacks, not much more.
</SIMPLIFY>
Ciao
Joerg
--
Joerg Mayer <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
