In specific use cases or scenarios it may be required to decrypt IPSEC Traffic to troubleshoot further.
This KB outlines the steps to properly decrypt traffic in order to troubleshoot application or network issues, Diagnose VPN or IPSEC problems, provide incident response, speak to regulatory compliance and data leak prevention, to optimize performance, etc.
VMware NSX
When it comes to troubleshooting NSX IPSEC VPNs, there are several layers of troubleshooting involved. The purpose of this troubleshooting article is to provide granular steps resulting in decrypted network traffic.
The important fields that need to be recorded are as follows:
In the key dump following fields are important
"spi": 7402#####, (The SPI must be converted to Hexadecimal when populated in the ESP SA field in Wireshark)
"aead": "aes-128-gcm",
"cipher-key": "e2ac98ea2b023614e4143120188365##########",
"created-timestamp": "2025-03-02 16:33:03",
"dst-ip": "##.###.6.230",
"src-ip": "##.###.42.162",
Example Key Dump taken from an edge:
The following key dump may need to be performed multiple times. A key dump is taken at the start of the packet capture. The session may expire while the packet capture is running. If this occurs then the subsequent set of keys will need to be gathered to decrypt traffic post key generation. The reason for this is that IPSEC/L2VPN tunnels can and will cycle through new encryption keys over the course of time. As an observer, you will have zero visual indication that the session keys have changed. Your role will be to collect the IPsec encryption keys before the packet captures are taken, at the end of a packet capture session, and you might perform a key dump mid-packet capture session if your session is lengthy. It is important to note the created-timestamp which indicates when the keys were created compared to the lifetime of these keys (3600 seconds). Often times if the key is going to expire it is easier to wait until new keys are created to run your packet capture- then you will likely only have to generate one key dump.
Encryption Key Dump at the beginning of the packet capture session:
root@Edge:~# edge-appctl -t /var/run/vmware/edge/dpd.ctl ipsec/show sad dump_key
{
"outbound": [
"lifetime": 3600,
"tcp-mss": 0,
"nat-t": false,
"protocol": 50,
"rule-id": 74020####,
"uptime": 464,
"use-esn": false,
"auth-key": "",
"spi": 37709#####,
"vrf-id": 3,
"replaywin-seq": 0,
"ike-tunnel-id": 0,
"tcp-mss-auto-compute": false,
"vti-uuid": "04c92ca9-d55d-471b-ac1e-############",
"hitflag": 1,
"aead": "aes-128-gcm",
"cipher-key": "87f6a9a60f1247e036b89234f3ced4##########", <----------------------- Encryption Key 1
"created-timestamp": "2025-03-02 20:11:30",
"dst-ip": "##.###.6.230",
"df-policy": "copy",
"mode": "tunnel",
"encrypt-overhead": 108,
"src-ip": "##.###.42.162",
"peer_natted_port": 0,
"policy-uuid": "04c92ca9-d55d-471b-ac1e-############",
"out-seq": 537,
"replaywin-size": 960}],
"inbound": [
"lifetime": 3600,
"tcp-mss": 0,
"nat-t": false,
"protocol": 50,
"rule-id": 288768####,
"uptime": 469,
"use-esn": false,
"auth-key": "",
"spi": 4037######,
"vrf-id": 3,
"replaywin-seq": 719,
"ike-tunnel-id": 0,
"tcp-mss-auto-compute": false,
"vti-uuid": "04c92ca9-d55d-471b-ac1e-############",
"hitflag": 1,
"aead": "aes-128-gcm",
"cipher-key": "4e9e8ba52ec49571841c7e3bcf01ac##########", <----------------------- Encryption Key 2
"created-timestamp": "2025-03-02 20:11:25",
"dst-ip": "##.###.42.162",
"df-policy": "copy",
"mode": "tunnel",
"encrypt-overhead": 108,
"src-ip": "##.###.6.230",
"peer_natted_port": 0,
"policy-uuid": "04c92ca9-d55d-471b-ac1e-############",
"out-seq": 0,
"replaywin-size": 960},
Once you have applied the encryption keys and other related data such as SPI and source / destination ip address, make sure you select the option "Attempt to detect/decode encrypted ESP payloads"
After this step there should be full visibility into all of the packets that were encrypted using the cipher-keys that were originally dumped.