On Thu, Nov 08, 2018 at 10:47:18AM +0530, Yogesh Purohit wrote: > I was trying to decrypt IKEv1 packets using wireshark 2.6. > For decryption of Ikev1 one needs Initiator cookie and encryption key. I have > enabled log level for ike = 4 in strongswan.conf. > > I can see complete dump in log files, where I could find encryption key. > > But I was unable to find initiator cookie without which I am unable to > decrypt > the packet. > > I am using strongswan version 5.5.2.
tcpdump -vv shows the cookies. In both wireshark and charon, the cookies are called "SPI". With an IKE capture file loaded into wireshark, they are shown as ISAKMP Initiator/Responder SPI in the packet dissection pane. To make charon log them, set the loglevel "enc = 3". The cookies are labeled as "IKE_SPI" in the logfile. The first IKE_SPI is the initiator cookie, and the second is the responder cookie; this is independent of who sent the message. For example, the following was logged by an IKEv1 initiator (without the comments): # message sent by the initiator (3rd message of Main Mode): [ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] [ENC] not encrypting payloads [ENC] generating payload of type HEADER [ENC] generating rule 0 IKE_SPI [ENC] => 8 bytes @ 0x7f5a20003f68 [ENC] 0: E7 91 90 11 9E 1D 31 8B # Initiator Cookie [ENC] generating rule 1 IKE_SPI [ENC] => 8 bytes @ 0x7f5a20003f70 [ENC] 0: B6 4B 3B B0 22 CB 9E 86 # Responder Cookie # message received from the responder (4th message of Main Mode) [ENC] parsing rule 0 IKE_SPI [ENC] => 8 bytes @ 0x7f5a300019d8 [ENC] 0: E7 91 90 11 9E 1D 31 8B # Initiator Cookie [ENC] parsing rule 1 IKE_SPI [ENC] => 8 bytes @ 0x7f5a300019e0 [ENC] 0: B6 4B 3B B0 22 CB 9E 86 # Responder Cookie Regards Mirko