Last updated on: June 16 2024.

Find IPsec Keys and Apply to Wireshark

This page explains how to find the ISAKMP and ESP keys in the logs after enabling appropriate logging explained in Enable IPsec Debug. Some of the keys are not immediately obvious in the logs. There are two key types, the ISAKMP key and the IPsec/ESP key.

Find ISAKMP key

The IKEv1 ISAKMP (phase 1) key is complicated to determine without support’s guidance, so the instructions are not provided here.

The IKEv2 ISAKMP keys can be conveniently grepped from the ipsec.log.

Example:

# grep SK_ /var/log/ipsec.log
 
Oct 17 07:08:57 bigip-2-1.lab info tmm[11949]: 017c0000  [0.1] [IKE] v2 172.16.2.1%0-172.16.243.1%0 [0xa4e068d00526b437-0xfdbefe872a91fdeb][R] [DEBUG]: ikev2_dump_ike_sa_keys: SK_ai 0x6875c81264e1aa4be8c4dca7040350db1ea64ce3cf44c3af8cf5b16144457585, SK_ar 0xfa0a31f5def6b059586b30b2ba3de59654c84062ee80c98df2d7480aef568860, sha256, SK_ei 0xb13f8cbb8e75246014a033919ff3276d362f67561e4d1ea428e0e01b38c91d48, SK_er 0xa446dac179e3f5d1c1eff26b7669ebeb248ce7fc12b3e987f8eda033da99b38a, aes256
Oct 17 07:09:39 bigip-2-1.lab info tmm[11949]: 017c0000  [0.1] [IKE] v2 172.16.2.1%0-172.16.243.1%0 [0xf961e3134aaca335-0xedca1a5764960533][R] [DEBUG]: ikev2_dump_ike_sa_keys: SK_ai 0x587bf4842ad6a9671434f743f64de08a4dff6138c8a6434f524fbc8b5ea150dd, SK_ar 0x11dfb08e774b9d7ff3043c1ac7253ca1825258809cc924c25eb9572683de5326, sha256, SK_ei 0x0609cd9cf63f6b1cf074e8ad12c555c92609ec6fcd316a0f416019babb1c3083, SK_er 0x046dbe10727d68925dd9aeb6709288ca478c349a92a636a0ba9c65ece87d93d0, aes256
Oct 17 07:10:32 bigip-2-1.lab info tmm[11949]: 017c0000  [0.1] [IKE] v2 172.16.2.1%0-172.16.243.1%0 [0x2d0cf29560b0f937-0x20b3895390c04d6e][R] [DEBUG]: ikev2_dump_ike_sa_keys: SK_ai 0x3ea5124994cb99307a8d5e840b4a644eaa829dd729f182b58cf5e11ae44833cb, SK_ar 0x266467c78d36b4220082a61e340bcc5527dbfc9b4d90f5443db237f546069e7f, sha256, SK_ei 0xb5daf98aa9370c107f4e4d349a8748e23c342c298d1f880dcb976ce26012ad82, SK_er 0xf0cd6592baf080efce2ee5f2400344d3769cec8fa41c754ae1ec04139ae71a2b, aes256
Oct 17 07:11:25 bigip-2-1.lab info tmm[11949]: 017c0000  [0.1] [IKE] v2 172.16.2.1%0-172.16.243.1%0 [0x02de8178a82ac9c5-0x6f4493f6bbddb169][R] [DEBUG]: ikev2_dump_ike_sa_keys: SK_ai 0xb678f294ed2e4a746719e1b8a932558ca64e3807b4adede286a65b12b68c5fe1, SK_ar 0x9f89c8a7b73a89ffac374d3dca4237d53c82c11ead9dc08d198cbcdbcf6da3f0, sha256, SK_ei 0x2df6e8b72ddfd3a07cfa8a401ed7009f33f4e0350be53861b10c687316fb6496, SK_er 0x6a69b2ef4cadbc79acfb44061fcd27a1141fac5461a18cb35ba398fdf93d91e6, aes256

Add ISAKMP Key to Wireshark

The format is similar to Wireshark’s “IKEv2 Decription Table”.

Edit -> Preferences -> Protocols

The encryption and authentication algorithm names must be mapped to what BIG-IP config calls them. For example, AES-CBC-256 is what BIG-IP config calls aes256. HMAC_SHA_2_256 is what the BIG-IP config calls sha256.

Find IPsec Key

The IPsec key is what decrypts the ESP packets and is not required for decrypting ISAKMP negotiation. Decrypt ESP packets to see the user data inside ESP packets.

The instructions are the same for IKEv1 and IKEv2.

When the IKEv1 (and also IKEv2) IPsec SA goes up, the ipsec.log and tmm logs will contain entries like this example:

ipsec.log for an spi=0x057d2aa8 with key:

Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] pfkey <active dir=rac-SEND/tmm-RECV at=bigip_pfkey_process_msg p=0x400147796308 crc=0x4b5101cc trail=' racoon2'/>
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] (sadb_msg ver=2 type=3:ADD err=0 satype=3:SATYPE_ESP len=256 tmid=0.3 seq=0x318e72 pid=0
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_sa sz=16 len=16 xt=1:SA spi=0x057d2aa8 replay=32 state=1:MATURE auth=5:X_AALG_SHA2_256HMAC encrypt=12 flags=0)
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_x_sa_id sz=32 len=32 xt=29:X_EXT_SA_ID mode=2:IPSEC_MODE_TUNNEL subtype=0 res16=0
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . sequ=0 id=0.0:0:0xe963 spi=0x00000000 res32=0:0:0x316a190)
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_lifetime sz=32 len=32 xt=3:EXT_LIFETIME_HARD allocs=0 bytes=0 addtime=300 usetime=0)
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_lifetime sz=32 len=32 xt=4:EXT_LIFETIME_SOFT allocs=0 bytes=0 addtime=246 usetime=0)
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_address kind=AF_INET sz=8 len=24 xt=5:EXT_ADDRESS_SRC proto=255 prefixlen=0 rtdom=0
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . (sockaddr sz=16 family=2:AF_INET port=500 addr=10.2.2.2))
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_address kind=AF_INET sz=8 len=24 xt=6:EXT_ADDRESS_DST proto=255 prefixlen=0 rtdom=0
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . (sockaddr sz=16 family=2:AF_INET port=500 addr=10.1.1.1))
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_key sz=8 len=40 xt=9:EXT_KEY_ENCRYPT bits=256 res=0
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . (key p=0x4001477963c0 len=32
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . . . 00008: 63 0b db 40 93 d2 9a 9d af b0 58 0c d8 ca ce 30 'c..@......X....0'
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . . . 00018: dd 19 ad d5 29 91 2b 75 dd 67 d6 18 04 67 fc 8d '....).+u.g...g..'))
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . (sadb_key sz=8 len=40 xt=8:EXT_KEY_AUTH bits=256 res=0
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . (key p=0x4001477963e8 len=32
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . . . 00008: 43 24 5c 86 1b 40 bd 1b 83 5d a7 93 bf 33 d1 2a 'C$\..@...]...3.*'
Jun 12 09:36:21 bigip1 info tmm[18982]: 017c0000 [0.3] [IKE] @ . . . . . 00018: 3c 83 c6 ed c9 1c 89 19 51 ac d6 c0 23 20 d1 3c '<.......Q...# .<')))

tmm log for other SPI spi=0x02431fa8 with key:

<13> Jun 12 09:36:21 localhost.localdomain notice pfkey <active dir=rac-SEND/tmm-RECV at=bigip_pfkey_process_msg p=0x400147796308 crc=0x7530c0b9 trail=' racoon2'/>
<13> Jun 12 09:36:21 localhost.localdomain notice (sadb_msg ver=2 type=2:UPDATE err=0 satype=3:SATYPE_ESP len=256 tmid=0.3 seq=0x318e72 pid=0
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_sa sz=16 len=16 xt=1:SA spi=0x02431fa8 replay=32 state=1:MATURE auth=5:X_AALG_SHA2_256HMAC encrypt=12 flags=0)
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_x_sa_id sz=32 len=32 xt=29:X_EXT_SA_ID mode=2:IPSEC_MODE_TUNNEL subtype=0 res16=0
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . sequ=0 id=0.0:0:0xe962 spi=0x00000000 res32=0:0:0x316a190)
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_lifetime sz=32 len=32 xt=3:EXT_LIFETIME_HARD allocs=0 bytes=0 addtime=300 usetime=0)
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_lifetime sz=32 len=32 xt=4:EXT_LIFETIME_SOFT allocs=0 bytes=0 addtime=266 usetime=0)
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_address kind=AF_INET sz=8 len=24 xt=5:EXT_ADDRESS_SRC proto=255 prefixlen=0 rtdom=0
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . (sockaddr sz=16 family=2:AF_INET port=500 addr=10.1.1.1))
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_address kind=AF_INET sz=8 len=24 xt=6:EXT_ADDRESS_DST proto=255 prefixlen=0 rtdom=0
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . (sockaddr sz=16 family=2:AF_INET port=500 addr=10.2.2.2)
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_key sz=8 len=40 xt=9:EXT_KEY_ENCRYPT bits=256 res=0
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . (key p=0x4001477963c0 len=32
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . . . 00008: 2c f3 92 5e 4b bd cb a7 55 ae 49 1e b7 9d 2a f4 ',..^K...U.I...*.'
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . . . 00018: 6b cf b3 06 ce 1e 68 1c c5 64 f9 b9 68 c4 32 67 'k.....h..d..h.2g'))
<13> Jun 12 09:36:21 localhost.localdomain notice @ . (sadb_key sz=8 len=40 xt=8:EXT_KEY_AUTH bits=256 res=0
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . (key p=0x4001477963e8 len=32
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . . . 00008: 14 ce 8c 2c 8d 53 c1 3a 32 87 c1 80 2a f5 84 1c '...,.S.:2...*...'
<13> Jun 12 09:36:21 localhost.localdomain notice @ . . . . . 00018: f8 94 5d 73 6a 3a f8 4e 94 f8 b4 e1 72 bb 23 8b '..]sj:.N....r.#.')))

The encryption and authentication keys are the hex part of the key payload:

@ . (sadb_key sz=8 len=40 xt=9:EXT_KEY_ENCRYPT bits=256 res=0
@ . . . (key p=0x4001477963c0 len=32
@ . . . . . 00008: 2c f3 92 5e 4b bd cb a7 55 ae 49 1e b7 9d 2a f4
@ . . . . . 00018: 6b cf b3 06 ce 1e 68 1c c5 64 f9 b9 68 c4 32 67

@ . . . (key p=0x4001477963e8 len=32
@ . . . . . 00008: 14 ce 8c 2c 8d 53 c1 3a 32 87 c1 80 2a f5 84 1c
@ . . . . . 00018: f8 94 5d 73 6a 3a f8 4e 94 f8 b4 e1 72 bb 23 8b

Search the logs for EXT_KEY_ENCRYPT.

In earlier software versions, the logging may not include the SPI info, but can be inferred from the surrounding logs or the IP addresses mentioned in the output. In the case above, the SPI values are shown as spi=0x051c6461 and spi=0x020b700e.

When multiple tunnels are logging at the same time, the ipsec.log will have interleaved messages from different tmms, so the output can be confusing. Find cleaner data in the /var/log/tmm* logs, which looks like the second SPI log in the example above. The first SPI output is taken from the ipsec.log and it may be worth noting that [0.3] indicates that tmm3 handles that SPI.

The tmsh show net ipsec ipsec-sa all-properties command shows the SPI values, which you need to tell Wireshark if you can’t get it from the above debug.

IPsec::SecurityAssociations
10.1.1.1 -> 10.2.2.2  
--------------------------------------------------------------------------------------------------
  tmm: 3   
  Direction: in;  SPI: 0x2431fa8(37953448);  Policy ID: 0xe962(59746)
  Protocol: esp;  Mode: tunnel;  State: mature   
  Encryption : aes256  
  Authentication: sha256   
  Current Usage: 30304 bytes   
  Hard lifetime: 139 seconds; unlimited bytes  
  Soft lifetime: 105 seconds; unlimited bytes  
  Replay window size: 32   
  Last use: 06/12/2024:09:39                                             Create:  06/12/2024:09:36

10.2.2.2 -> 10.1.1.1   
---------------------------------------------------------------------------------------------------
  tmm: 5  
  Direction: out;  SPI: 0x57d2aa8(92089000);  Policy ID: 0xe963(59747)
  Protocol: esp;  Mode: tunnel;  State: mature  
  Encryption : aes256   
  Authentication: sha256  
  Current Usage: 12832 bytes  
  Hard lifetime: 139 seconds; unlimited bytes   
  Soft lifetime: 85 seconds; unlimited bytes  
  Replay window size: 32  
  Last use: 06/12/2024:09:39                                              Create:  06/12/2024:09:36

Add IPsec Key to Wireshark

Note that the example below uses data from a different source to the earlier data.

Open the pcap and find an ESP packet to decrypt.

Right click anywhere in the ESP headers or payload and make sure the following are checked. Then select ESP SAs.

Add the ESP info. Notice the 0x (to denote Hex) prefixing the SPI and keys.

Example decrypted view of ESP with echo request:

Example decrypted view of ESP with echo reply: