https://live.paloaltonetworks.com/t5/general-topics/vpn-encryption-authentication-key-s-for-wireshark-decryption/m-p/35142#M25816 <HTML><HEAD></HEAD><BODY><P>It is possible to debug ESP packet's in Wireshark but to do so I will need to obtain the encryption key and the authentication key for the given VPN from my Palo Alto 5050. As an example - In Linux it's possible to get this information by running the command 'ip xfrm state':</P><P></P><P>gw205:/ # ip xfrm state</P><P>src 192.168.140.200 dst 192.168.140.205</P><P>&nbsp; proto esp spi 0x0879355b reqid 16421 mode tunnel</P><P>&nbsp; replay-window 32 flag noecn nopmtudisc af-unspec</P><P> <SPAN style="color: #ff0000;"> auth hmac(sha1) 0xb8dd42a1c505bed19c2bf23cef00e5d8223c2a5b</SPAN></P><P><SPAN style="color: #ff0000;">&nbsp; enc cbc(des3_ede) 0xae76ea430b10c72c882c4aeab2283444c54f913d87f5e109</SPAN></P><P>src 192.168.140.205 dst 192.168.140.200</P><P>&nbsp; proto esp spi 0x1c0d7b38 reqid 16421 mode tunnel</P><P>&nbsp; replay-window 32 flag noecn nopmtudisc af-unspec</P><P><SPAN style="color: #ff0000;">&nbsp; auth hmac(sha1) 0xc364660133b04a4f20e52000dbe4a6ba154c09c1</SPAN></P><P><SPAN style="color: #ff0000;">&nbsp; enc cbc(des3_ede) 0x39e87c9ca500616b36f2f0d3c7fb688621d7bbf31414abbd</SPAN></P><P></P><P>Does anyone know how can I obtain this information from my Palo Alto 5050? I have tried all of the show vpn / ike-sa / ipsec-sa commands but none of them show me what I need.</P><P></P><P>For reference, here is a link to the Wireshark guide that I have been using:</P><P><A href="http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets" title="http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets">How can I decrypt IKEv1 and/or ESP packets ? - Wireshark Q&amp;A</A></P><P></P><P>Regards,</P><P>James.</P></BODY></HTML> Fri, 04 Apr 2014 09:21:26 GMT debsPal0 2014-04-04T09:21:26Z https://live.paloaltonetworks.com/t5/general-topics/vpn-encryption-authentication-key-s-for-wireshark-decryption/m-p/35142#M25816 <HTML><HEAD></HEAD><BODY><P>It is possible to debug ESP packet's in Wireshark but to do so I will need to obtain the encryption key and the authentication key for the given VPN from my Palo Alto 5050. As an example - In Linux it's possible to get this information by running the command 'ip xfrm state':</P><P></P><P>gw205:/ # ip xfrm state</P><P>src 192.168.140.200 dst 192.168.140.205</P><P>&nbsp; proto esp spi 0x0879355b reqid 16421 mode tunnel</P><P>&nbsp; replay-window 32 flag noecn nopmtudisc af-unspec</P><P> <SPAN style="color: #ff0000;"> auth hmac(sha1) 0xb8dd42a1c505bed19c2bf23cef00e5d8223c2a5b</SPAN></P><P><SPAN style="color: #ff0000;">&nbsp; enc cbc(des3_ede) 0xae76ea430b10c72c882c4aeab2283444c54f913d87f5e109</SPAN></P><P>src 192.168.140.205 dst 192.168.140.200</P><P>&nbsp; proto esp spi 0x1c0d7b38 reqid 16421 mode tunnel</P><P>&nbsp; replay-window 32 flag noecn nopmtudisc af-unspec</P><P><SPAN style="color: #ff0000;">&nbsp; auth hmac(sha1) 0xc364660133b04a4f20e52000dbe4a6ba154c09c1</SPAN></P><P><SPAN style="color: #ff0000;">&nbsp; enc cbc(des3_ede) 0x39e87c9ca500616b36f2f0d3c7fb688621d7bbf31414abbd</SPAN></P><P></P><P>Does anyone know how can I obtain this information from my Palo Alto 5050? I have tried all of the show vpn / ike-sa / ipsec-sa commands but none of them show me what I need.</P><P></P><P>For reference, here is a link to the Wireshark guide that I have been using:</P><P><A href="http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets" title="http://ask.wireshark.org/questions/12019/how-can-i-decrypt-ikev1-andor-esp-packets">How can I decrypt IKEv1 and/or ESP packets ? - Wireshark Q&amp;A</A></P><P></P><P>Regards,</P><P>James.</P></BODY></HTML> Fri, 04 Apr 2014 09:21:26 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-encryption-authentication-key-s-for-wireshark-decryption/m-p/35142#M25816 debsPal0 2014-04-04T09:21:26Z https://live.paloaltonetworks.com/t5/general-topics/vpn-encryption-authentication-key-s-for-wireshark-decryption/m-p/35143#M25817 <HTML><HEAD></HEAD><BODY><P>Can anyone help with this one?</P></BODY></HTML> Thu, 10 Apr 2014 12:31:01 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-encryption-authentication-key-s-for-wireshark-decryption/m-p/35143#M25817 debsPal0 2014-04-10T12:31:01Z