https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-decrypt-esp-ipsec-packet-using-wireshark/m-p/571104#M2326 <P>Sometimes you want to see how the tunnel mode encapsulation occurs, especially when using GRE over IPsec and VTI IPsec and you would like to decrypt the ESP or IPSEC packet to see how packet is encaspulated on both scenarios (GRE over IPsec and VTI IPsec, especially for studying or may be for troubleshooting.</P> <P>&nbsp;</P> <P>Below how to do it:</P> <P>&nbsp;</P> <P>Configue the ESP encryption with null in the IPsec Crypto Profile.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="6.png" style="width: 996px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56139iE8BADC0EA2CD7ADD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp;</P> <P>Run the packet capture on PaloAlto to capture the PCAP File.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="9.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56143iDFAF6C242D72AB0A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="9.png" alt="9.png" /></span></P> <P>&nbsp;</P> <P>Open wireshark. right-click on the ESP packet, in this scenario the ESP SA from the source 10.1.15.120 to the destination 10.1.15.121. Under the Protocol Preferences, check the the option<STRONG> "Attempt to Detect/Decode NULL Encrypted ESP Payload"</STRONG> as shown below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56140i7E38CAC637B59271/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp;</P> <P>Finally you can see the ESP Packet payload in clear text:</P> <P>&nbsp;</P> <P><STRONG>ESP Packet with VTI IPsec</STRONG></P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="8.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56141i5A82E8F6F6CB5D5E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="8.png" alt="8.png" /></span></STRONG></P> <P>&nbsp;</P> <P><STRONG>ESP Packet with GRE Over IPsec </STRONG></P> <P>&nbsp;</P> <P><STRONG><STRONG><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="7.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56142i12AC202502D43B1A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="7.png" alt="7.png" /></span></STRONG></STRONG></STRONG></P> <P>&nbsp;</P> Thu, 28 Dec 2023 09:13:27 GMT rmeddane 2023-12-28T09:13:27Z https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-decrypt-esp-ipsec-packet-using-wireshark/m-p/571104#M2326 <P>Sometimes you want to see how the tunnel mode encapsulation occurs, especially when using GRE over IPsec and VTI IPsec and you would like to decrypt the ESP or IPSEC packet to see how packet is encaspulated on both scenarios (GRE over IPsec and VTI IPsec, especially for studying or may be for troubleshooting.</P> <P>&nbsp;</P> <P>Below how to do it:</P> <P>&nbsp;</P> <P>Configue the ESP encryption with null in the IPsec Crypto Profile.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="6.png" style="width: 996px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56139iE8BADC0EA2CD7ADD/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp;</P> <P>Run the packet capture on PaloAlto to capture the PCAP File.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="9.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56143iDFAF6C242D72AB0A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="9.png" alt="9.png" /></span></P> <P>&nbsp;</P> <P>Open wireshark. right-click on the ESP packet, in this scenario the ESP SA from the source 10.1.15.120 to the destination 10.1.15.121. Under the Protocol Preferences, check the the option<STRONG> "Attempt to Detect/Decode NULL Encrypted ESP Payload"</STRONG> as shown below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56140i7E38CAC637B59271/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp;</P> <P>Finally you can see the ESP Packet payload in clear text:</P> <P>&nbsp;</P> <P><STRONG>ESP Packet with VTI IPsec</STRONG></P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="8.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56141i5A82E8F6F6CB5D5E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="8.png" alt="8.png" /></span></STRONG></P> <P>&nbsp;</P> <P><STRONG>ESP Packet with GRE Over IPsec </STRONG></P> <P>&nbsp;</P> <P><STRONG><STRONG><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="7.png" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/56142i12AC202502D43B1A/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="7.png" alt="7.png" /></span></STRONG></STRONG></STRONG></P> <P>&nbsp;</P> Thu, 28 Dec 2023 09:13:27 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/how-to-decrypt-esp-ipsec-packet-using-wireshark/m-p/571104#M2326 rmeddane 2023-12-28T09:13:27Z