01-01-2025 04:22 AM - edited 01-01-2025 04:23 AM
How can I extract the IKEv2 encryption keys SK_ei and SK_er on PAN-OS 11.2 (for the purpose of decoding a packet capture file in Wireshark)?
The following article describes the procedure:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLMzCAO
This worked fine on PAN-OS 11.1.
But it does not seem to work on PAN-OS 11.2 anymore, because the necessary log messages no longer appear in the log file (in fact, it seems that [INFO] and [DEBUG] message are no longer logged, only [DUMP] messages are logged, regardless of what the debug level is set to)
01-04-2025 02:23 AM - edited 01-06-2025 12:42 AM
I was able to find the answer to this question myself.
In PAN-OS 11.1 all messages were logged in file ikemgr.log.
To determine SK_ei, you had to look for a specific [DEBG] message, and then the next [DUMP] message would contain the key SK_ei.
2024-12-31 00:36:47.340 -0800 [DEBG]: { 1: }: key:
2024-12-31 00:36:47.340 -0800 [DUMP]:
662e0f05 85f10cd8 935c6dc1 f544a087SK_er was determined in a similar manner.
In PAN-OS 11.2 most messages (including [DEBG] and [INFO] messages) are logged to a different file, namely ikemgr-ng.log. However, [DUMP] message are still written to the old file ikemgr.log.
Thus, you can see the [DEBG] message in the file ikemgr-ng.log
2024:12:31T00:36:47.340-08:00 [3793-3925] [DEBG]: { 1: }: key:
And then you have to find the corresponding [DUMP] message in the old file ikemgr.log:
2024-12-31 00:36:47.340 -0800 [DUMP]:
662e0f05 85f10cd8 935c6dc1 f544a087Because the [DEBG] and [DUMP] messages are in two different files, you have to look at the timestamp of the [DEBG] message and find the corresponding [DUMP] message with the same timestamp.
It does not help that the two files use different timestamp formats (2024:12:31T00:36:47.340-08:00 versus 2024-12-31 00:36:47.340 -0800).
Also, that are typically multiple [DUMP] messages with the exact same timestamp. Even if you whittle it down to only the [DUMP] messages with exactly 16 bytes, you are still left with multiple candidates. The only way to find the right one, is to try entering all of them in Wireshark and then see which one successfully decodes the payload.
This is all extremely cumbersome and error-prone.
But it gets worse.
With the introduction of PQC in PAN-OS 11.2, there are multiple key exchanges, and multiple intermediate values of SK_ei and SK_er. Extracting these intermediate values is even more cumbersome and error-prone to the point of being nigh-impossible.
On top of that, Wireshark also does not (yet) support having multiple intermediate values of SK_ei and SK_er. For a give security association (SPI pair) you can only enter one set of SK_ei and SK_er values. Thus, to decode a full security association establishment sequence of messages (IKE_SA_INIT + 2 x IKE_INTERMEDIATE + IKE_AUTH, CREATE_CHILD_SA), you can only decrypt a subset of the message payloads for each individual SK value that you enter.
Life would be a whole lot easier if:
(1) PAN-OS had some show or debug command to show the SK_ei and SK_er values for a given security association (if PQC is enabled, there may be multiple intermediate values) instead of having to hunt for them in the log files. Other vendors has such commands.
(2) Wireshark would be enhanced to support multiple intermediate values for SK_ei and SK_er in the case of PQC.
01-02-2025 04:15 PM
Hi @brunor ,
I would recommend reaching out to support and sharing the details of your findings on this one.
01-04-2025 02:23 AM - edited 01-06-2025 12:42 AM
I was able to find the answer to this question myself.
In PAN-OS 11.1 all messages were logged in file ikemgr.log.
To determine SK_ei, you had to look for a specific [DEBG] message, and then the next [DUMP] message would contain the key SK_ei.
2024-12-31 00:36:47.340 -0800 [DEBG]: { 1: }: key:
2024-12-31 00:36:47.340 -0800 [DUMP]:
662e0f05 85f10cd8 935c6dc1 f544a087SK_er was determined in a similar manner.
In PAN-OS 11.2 most messages (including [DEBG] and [INFO] messages) are logged to a different file, namely ikemgr-ng.log. However, [DUMP] message are still written to the old file ikemgr.log.
Thus, you can see the [DEBG] message in the file ikemgr-ng.log
2024:12:31T00:36:47.340-08:00 [3793-3925] [DEBG]: { 1: }: key:
And then you have to find the corresponding [DUMP] message in the old file ikemgr.log:
2024-12-31 00:36:47.340 -0800 [DUMP]:
662e0f05 85f10cd8 935c6dc1 f544a087Because the [DEBG] and [DUMP] messages are in two different files, you have to look at the timestamp of the [DEBG] message and find the corresponding [DUMP] message with the same timestamp.
It does not help that the two files use different timestamp formats (2024:12:31T00:36:47.340-08:00 versus 2024-12-31 00:36:47.340 -0800).
Also, that are typically multiple [DUMP] messages with the exact same timestamp. Even if you whittle it down to only the [DUMP] messages with exactly 16 bytes, you are still left with multiple candidates. The only way to find the right one, is to try entering all of them in Wireshark and then see which one successfully decodes the payload.
This is all extremely cumbersome and error-prone.
But it gets worse.
With the introduction of PQC in PAN-OS 11.2, there are multiple key exchanges, and multiple intermediate values of SK_ei and SK_er. Extracting these intermediate values is even more cumbersome and error-prone to the point of being nigh-impossible.
On top of that, Wireshark also does not (yet) support having multiple intermediate values of SK_ei and SK_er. For a give security association (SPI pair) you can only enter one set of SK_ei and SK_er values. Thus, to decode a full security association establishment sequence of messages (IKE_SA_INIT + 2 x IKE_INTERMEDIATE + IKE_AUTH, CREATE_CHILD_SA), you can only decrypt a subset of the message payloads for each individual SK value that you enter.
Life would be a whole lot easier if:
(1) PAN-OS had some show or debug command to show the SK_ei and SK_er values for a given security association (if PQC is enabled, there may be multiple intermediate values) instead of having to hunt for them in the log files. Other vendors has such commands.
(2) Wireshark would be enhanced to support multiple intermediate values for SK_ei and SK_er in the case of PQC.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
