04-04-2014 02:21 AM
It is possible to debug ESP packet's in Wireshark but to do so I will need to obtain the encryption key and the authentication key for the given VPN from my Palo Alto 5050. As an example - In Linux it's possible to get this information by running the command 'ip xfrm state':
gw205:/ # ip xfrm state
src 192.168.140.200 dst 192.168.140.205
proto esp spi 0x0879355b reqid 16421 mode tunnel
replay-window 32 flag noecn nopmtudisc af-unspec
auth hmac(sha1) 0xb8dd42a1c505bed19c2bf23cef00e5d8223c2a5b
enc cbc(des3_ede) 0xae76ea430b10c72c882c4aeab2283444c54f913d87f5e109
src 192.168.140.205 dst 192.168.140.200
proto esp spi 0x1c0d7b38 reqid 16421 mode tunnel
replay-window 32 flag noecn nopmtudisc af-unspec
auth hmac(sha1) 0xc364660133b04a4f20e52000dbe4a6ba154c09c1
enc cbc(des3_ede) 0x39e87c9ca500616b36f2f0d3c7fb688621d7bbf31414abbd
Does anyone know how can I obtain this information from my Palo Alto 5050? I have tried all of the show vpn / ike-sa / ipsec-sa commands but none of them show me what I need.
For reference, here is a link to the Wireshark guide that I have been using:
How can I decrypt IKEv1 and/or ESP packets ? - Wireshark Q&A
Regards,
James.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
