Decrypting IPSEC VPN traffic
search cancel

Decrypting IPSEC VPN traffic

book

Article ID: 398310

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

In specific use cases or scenarios it may be required to decrypt IPSEC Traffic to troubleshoot further.

This KB outlines the steps to properly decrypt traffic in order to troubleshoot application or network issues, Diagnose VPN or IPSEC problems, provide incident response, speak to regulatory compliance and data leak prevention, to optimize performance, etc.

Environment

VMware NSX

Cause

When it comes to troubleshooting NSX IPSEC VPNs, there are several layers of troubleshooting involved. The purpose of this troubleshooting article is to provide granular steps resulting in decrypted network traffic.

Resolution

  • The first step to decrypt NSX edge L2VPN traffic is to dump the keys being used for encryption.
  • To dump keys on the Edge run this command from the root shell: 'edge-appctl -t /var/run/vmware/edge/dpd.ctl ipsec/show sad dump_key'

The important fields that need to be recorded are as follows:

In the key dump following fields are important

"spi": 7402#####,   (The SPI must be converted to Hexadecimal when populated in the ESP SA field in Wireshark) 
"aead": "aes-128-gcm",
"cipher-key": "e2ac98ea2b023614e4143120188365##########",
"created-timestamp": "2025-03-02 16:33:03",
"dst-ip": "##.###.6.230",
"src-ip": "##.###.42.162",

 

Example Key Dump taken from an edge:

The following key dump may need to be performed multiple times. A key dump is taken at the start of the packet capture.  The session may expire while the packet capture is running. If this occurs then the subsequent set of keys will need to be gathered to decrypt traffic post key generation. The reason for this is that IPSEC/L2VPN tunnels can and will cycle through new encryption keys over the course of time. As an observer, you will have zero visual indication that the session keys have changed. Your role will be to collect the IPsec encryption keys before the packet captures are taken, at the end of a packet capture session, and you might perform a key dump mid-packet capture session if your session is lengthy. It is important to note the created-timestamp which indicates when the keys were created compared to the lifetime of these keys (3600 seconds). Often times if the key is going to expire it is easier to wait until new keys are created to run your packet capture- then you will likely only have to generate one key dump. 

 

Encryption Key Dump at the beginning of the packet capture session:

root@Edge:~# edge-appctl -t /var/run/vmware/edge/dpd.ctl ipsec/show sad dump_key
{
"outbound": [

"lifetime": 3600,
"tcp-mss": 0,
"nat-t": false,
"protocol": 50,
"rule-id": 74020####,
"uptime": 464,
"use-esn": false,
"auth-key": "",
"spi": 37709#####,
"vrf-id": 3,
"replaywin-seq": 0,
"ike-tunnel-id": 0,
"tcp-mss-auto-compute": false,
"vti-uuid": "04c92ca9-d55d-471b-ac1e-############",
"hitflag": 1,
"aead": "aes-128-gcm",
"cipher-key": "87f6a9a60f1247e036b89234f3ced4##########", <----------------------- Encryption Key 1
"created-timestamp": "2025-03-02 20:11:30",
"dst-ip": "##.###.6.230",
"df-policy": "copy",
"mode": "tunnel",
"encrypt-overhead": 108,
"src-ip": "##.###.42.162",
"peer_natted_port": 0,
"policy-uuid": "04c92ca9-d55d-471b-ac1e-############",
"out-seq": 537,
"replaywin-size": 960}],


"inbound": [


"lifetime": 3600,
"tcp-mss": 0,
"nat-t": false,
"protocol": 50,
"rule-id": 288768####,
"uptime": 469,
"use-esn": false,
"auth-key": "",
"spi": 4037######,
"vrf-id": 3,
"replaywin-seq": 719,
"ike-tunnel-id": 0,
"tcp-mss-auto-compute": false,
"vti-uuid": "04c92ca9-d55d-471b-ac1e-############",
"hitflag": 1,
"aead": "aes-128-gcm",
"cipher-key": "4e9e8ba52ec49571841c7e3bcf01ac##########", <----------------------- Encryption Key 2
"created-timestamp": "2025-03-02 20:11:25",
"dst-ip": "##.###.42.162",
"df-policy": "copy",
"mode": "tunnel",
"encrypt-overhead": 108,
"src-ip": "##.###.6.230",
"peer_natted_port": 0,
"policy-uuid": "04c92ca9-d55d-471b-ac1e-############",
"out-seq": 0,
"replaywin-size": 960},

 

  • Once you have obtained your encryption keys along with the .pcap file containing encrypted ESP traffic open the packet capture in Wireshark. When the file is opened it will show only ESP traffic initially as exhibited below:

  • Make note of the source and destination IP addresses and SPI value.
  • In Wireshark, right-mouse click one packet → navigate to Protocol Preferences → Encapsulating Security Payload → ESP SAs

  • Populate the fields as seen below. Add an encryption key prefix of 0x

Once you have applied the encryption keys and other related data such as SPI and source / destination ip address, make sure you select the option "Attempt to detect/decode encrypted ESP payloads"

After this step there should be full visibility into all of the packets that were encrypted using the cipher-keys that were originally dumped. 

Additional Information