Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
fgilloteau_FTNT
Staff
Staff

Created on ‎12-23-2014 05:24 AM

Article Id 194979

Technical Note: How to create a .pcap file from raw data in ike debug log

Description
This article explains how to convert the raw packet data of the ike debug log to a pcap file that can be opened in Wireshark.

Solution
It is assumed that the VPN debug log has been collected with the commands:

# diag debug enable
# diag debug application ike -1

Example:

ike 2: comes 192.168.169.83:500->172.31.18.151:500,ifindex=13....
ike 2: IKEv2 exchange=SA_INIT id=9a48a5cf7960ff49/0000000000000000 len=440
ike 2: in 9A48A5CF7960FF4900000000000000002120220800000000000001B82200003800000034010100050300000C0100000C800E0080030000080100000303000008030000020300000802000002000000080400000E28000108000E0000F6E4C4C93CF97E218EA6C5F211B367D88EE1E1E6A8D6434113321BD367C4ACF2C66D7B50B8FC9DE4759C2DCA8E21A91DF8CFDF28BB80BDDDCB626AF925B7453AC963A56EDFED67A94703CC52001BE7152237417B819BC20BB7B8289EC03C03F66288A6D915E4F5907FD8E956B8973270D0495401EF411B4CCF66A3ACA551BB251C149A93564E2623FA289EE043B74E1336A1E0FDB11947747E55AC4C0218686E9CCE4A34D6959527F1F5D1FA86FB2842A12FC38CDBDF53FD20D3F8F197D182D8028850EFD4D38989DAD599A69366537C94C1CE2889A1248544C5B4AC02417381A5B2FA337CC97FDA4CE4E8C701A3D85AFA24F34D144712600998745108BF537D2900002461266BBC98518AC74423DF8823932B84A76517656F172DBDA21D59DA27F28BAA2900001C00004004E9533792BDD1A441DD3D70362C3EB085A1AEC14A0000001C00004005D599D90B45CECA48E4901BB8F7FBD50B2FDB87BA
ike 2:9a48a5cf7960ff49/0000000000000000:2: responder received SA_INIT msg
ike 2:9a48a5cf7960ff49/0000000000000000:2: received notify type NAT_DETECTION_SOURCE_IP
ike 2:9a48a5cf7960ff49/0000000000000000:2: received notify type NAT_DETECTION_DESTINATION_IP
ike 2:9a48a5cf7960ff49/0000000000000000:2: incoming proposal:
ike 2:9a48a5cf7960ff49/0000000000000000:2: proposal id = 1:
ike 2:9a48a5cf7960ff49/0000000000000000:2:   protocol = IKEv2:
ike 2:9a48a5cf7960ff49/0000000000000000:2:      encapsulation = IKEv2/none
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=ENCR, val=3DES_CBC
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=ENCR, val=AES_CBC (key_len = 128)
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=INTEGR, val=AUTH_HMAC_SHA_96
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=PRF, val=PRF_HMAC_SHA
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=DH_GROUP, val=MODP2048.
ike 2:9a48a5cf7960ff49/0000000000000000:2: matched proposal id 1
ike 2:9a48a5cf7960ff49/0000000000000000:2: proposal id = 1:
ike 2:9a48a5cf7960ff49/0000000000000000:2:   protocol = IKEv2:
ike 2:9a48a5cf7960ff49/0000000000000000:2:      encapsulation = IKEv2/none
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=ENCR, val=AES_CBC (key_len = 128)
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=INTEGR, val=AUTH_HMAC_SHA_96
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=PRF, val=PRF_HMAC_SHA
ike 2:9a48a5cf7960ff49/0000000000000000:2:         type=DH_GROUP, val=MODP2048.
ike 2:9a48a5cf7960ff49/0000000000000000:2: lifetime=90000
ike 2:9a48a5cf7960ff49/0000000000000000:2: SA proposal chosen, matched gateway dc_tun
ike 2:dc_tun:2: processing notify type NAT_DETECTION_SOURCE_IP
ike 2:dc_tun:2: processing NAT-D payload
ike 2:dc_tun:2: NAT detected: PEER
ike 2:dc_tun:2: process NAT-D
ike 2:dc_tun:2: processing notify type NAT_DETECTION_DESTINATION_IP
ike 2:dc_tun:2: processing NAT-D payload
ike 2:dc_tun:2: NAT detected: PEER
ike 2:dc_tun:2: process NAT-D
ike 2:dc_tun:2: responder preparing SA_INIT msg
ike 2:dc_tun:2: sending CERTREQ payload
ike 2:dc_tun:2: out 9A48A5CF7960FF4911CE56DA0C5722512120222000000000000001B9220000300000002C010100040300000C0100000C800E008003000008020000020300000803000002000000080400000E28000108000E0000CFE8F1A8EFA120D1C8569286913459A6E0A83D5D05159743FB96B86F44405997D830E11AC33C043F04D2E9760F73EF8BA5895369015DCA3F18BCFBF018EA5C9DB4A36D376E206CA2818DE14CB149CF869D7920255C236766D62E84A816164C119837F0A4394A77452EAC2E74C4D0EC6B30EEC6061D7C5B2941B8B85F0D3D2E383DC2F198DD3EEF513F84518B9B6514394D921CA9E6982D8DA02CB333008E89453B9D7DB2281B4F22CEAE2BC88A17F1022D8A37534F00F1A6BFFCAAA8F1BBB81ACA80CB151DC4941EB5EC10B0D4E74D391BE20558F7AC2DACDF54BA17C80E074B5FDB02E0834EE050F59366F2BC16754501F35AB48BDA973CF939C4D910CEDEA6290000145D929071858E86E7B1BD14E81972FF5D2900001C00004004B78ACF4C69A54D566C7D7B044FA542079B43E72C2600001C0000400521B909753445022BC9D4BAB6A3816A66D1610C9500000019046F58B23D5B72D0604FD9CB3D4D2BDCF12384EF9D
ike 2:dc_tun:2: sent IKE msg (SA_INIT_RESPONSE): 172.31.18.151:500->192.168.169.83:500, len=441, id=9a48a5cf7960ff49/11ce56da0c572251
ike 2:dc_tun:2: IKE SA 9a48a5cf7960ff49/11ce56da0c572251 SK_ei 16:C6165BE347CD02706FD7FD2E97F72F6B
ike 2:dc_tun:2: IKE SA 9a48a5cf7960ff49/11ce56da0c572251 SK_er 16:825D0739BC79F9619F6B14003A28ECB2
ike 2:dc_tun:2: IKE SA 9a48a5cf7960ff49/11ce56da0c572251 SK_ai 20:5358EB25E400D0E6EFB8407A75F09415500C0B3D
ike 2:dc_tun:2: IKE SA 9a48a5cf7960ff49/11ce56da0c572251 SK_ar 20:CFC8A521C171E0961E477E5A4268ED4C14498853
ike 2: comes 192.168.169.83:4500->172.31.18.151:4500,ifindex=13....
ike 2: IKEv2 exchange=AUTH id=9a48a5cf7960ff49/11ce56da0c572251:00000001 len=1132
ike 2: in 9A48A5CF7960FF4911CE56DA0C5722512E202308000000010000046C23000450EF31735FE38FB85B69099B449ADCD12D8495D7323BDB89BEA61C88419715FB66DCBA2BDCD84C54AFD722E676C95D08EC643223F7671DCA7C94BE943E0A8689CB901B5257C56D90BD691B8CFF62CC8C348B25ADD7370D658842C822D4561056193DE58E14180AEFEF171A459BBDF8F106414464E9624A1E63B0BB022766A1026E28027A9C32A80F1133A3BC4FAA22961F9EF563B105811CBEAC11833D4DFD60724CF219E129FEBC59565B54CC88652670F6E97BCC1D88F009AD6250D6241485F05DD0487DFAA7A9E6A3F98313CA8CBA9662A5D70A9751190029950A78D822A8B7E35B6722D04E4E68DB2DE9B8E99C4695B0C2F21F6DEB60AA084E6B379BDDA1DD1E4807955CF3D3C9F3AA165E52E0586BABDFDE60FF0248FAA76FD49E41EF788878AB966D2AD19AF26A1752C983D4BA1EED29D3E79EBB4267D886E664572C3D44BA250258A8FFD7CD8DEA5A7F224B928BE28DE3FD6C4D2EFF01737CC6A02A7631C5DC96C008C82AEFA066610DD946D0E8390320AFB2B43830D6B08939BDD72616E2D1FBB51768BA9EB7D1A63FD858526CE96F5CEC6EBAF26BB0B824BCA56D7613617817A6BC5891B5A4B41353065565BF296154B40875E2814199633025EF6F58B4256D763A4437E679C1BE75088D8181E05470A571BEDE6FA3CB633E54542C65F0E9106DADAF0C42A5E9600F6B04C20E46A80147435E1DC1043D6BA98D040AAF1ED49C5D191E06FC1A1477095D3D354D912EDBAC15A5E6C9EE121DCE2626478CCFC2EAC33E9DBE1A6FC3AE6CCCE10D59BF6157A681606151C969FE59146CD6515BD5CB049647DC8FFB180E958521250A745779711A7DACA4DCFB29F87EA9C6CB3AC33AD06108AAC03E03DF526E2609599E599DFD5C0B231B6056B0499E6C893F3A03CF3410BA105FA75A3F7C8DE3765F422E57024649AEB82E7FAEE130D3793B3573C074C90E6B784D01CF089BC2E6374E820D00D53FC3929FE5768EBF0AC5CD2195A8F0940D1236B36322908A59BE45CCBF85022F5604CB80FDE447F77B454C61150B9F6E2AE987DC5E63B8FE3942B6ECD787E1ED4A780AE8511C55A798E637EA026236864A626FA27446FF1862438CF9B0437D1E9F2610B32DDF437F8E393F15486A1B6B7F0C350DCB3DC37D2BFD2D64597B8ECC28E8C68624AC9AC08BEBB21BEB7C6BABBD09C1BD1F59FC65C3D4F3A9DC84F2A684D77C503F1B986224008B242D79572889D525F8E4CB7EAF4C6F8909F3A3C0448EE043FEDAB9B147E935C06730BEE098730453C8F5EBADA5EBB6A72AA98FC64D85482A1DF452D24FA8F8791F8558AF2CEC19EAFA8CEE3B3E121108CF7D5FB458745816C97BB1D00E0CBAC18BB27F7B5F277DB0AA742E58EFACD36FE250129B6BDF71A6668279D7ADCE14D8017CCEB331BD524BB1BFA010E3858925C0242931C7D84EF560CEA2B44DCA81F29246E04F2A1329B5E9227727233F2F3E3612DBA9B7462E891BD9C63CD3AF852C4CFC2376289B4AE59D8318D89D93194772A1FF532752DE8BF390345AC76C7546A0CC35571511D235211C6686
ike 2:dc_tun:2: dec 9A48A5CF7960FF4911CE56DA0C5722512E202308000000010000044B230000042500004D090000003043310B30090603550406130266723111300F0603550407130876616C626F6E6E653111300F060355040A1308666F7274696E6574310E300C0603550403130566656D746F26000221043082021830820181A003020102020106300D06092A864886F70D0101050500300F310D300B060355040313046D794341301E170D3134303830363039303130305A170D3135303830363039303130305A3043310B30090603550406130266723111300F0603550407130876616C626F6E6E653111300F060355040A1308666F7274696E6574310E300C0603550403130566656D746F30819F300D06092A864886F70D010101050003818D0030818902818100BE5271D56B0C37B4E1DC03B78B24548CB908ED2FB610B07C495BBACCA418FA1C578227ED903364AEE0B50DC13F43AC840E768D253F4C79BC9989C3C1B2D4FD0FF7859F50EC8D77C3C23A8A8C46AAF0B157E1FBA3BF55C1F23ABDC0EE00858A372CBB210FD88C7ED65BE7B0574ADA080E0F8EAD3A592C89215E449216D293145B0203010001A350304E300C0603551D130101FF04023000300B0603551D0F0404030204B0301106096086480186F84201010404030205A0301E06096086480186F842010D0411160F786361206365727469666963617465300D06092A864886F70D01010505000381810059AD494BE888C44260C2AD0208E2BADB8176410E49EE2C77C6DA6F01F2BA6EBB1142E3697412F64E41EB48CAF32A96E8BBB93584A49084AC3B917D6A823DE4C9307FF48DB50BF418197276E9962E2903280FA4A33A98E12A478D6B63F16AEC6425B266B25B76FF1949D6D0F499956A9145FFCEE1AFB116CE0D4364DF497E4E5027000019046F58B23D5B72D0604FD9CB3D4D2BDCF12384EF9D2F000088010000005F02DC2516A69DED4466F564FB4A273BE2D3511D22FE11ECF6D7D45745AA95DC05378956726714BC12A63472578857BC388A2B9B8E92FA6261B4D589194608F100470E2DDF0654D7F11CB8FFB4A74796F9A5AD0161EB93BBD6A04614A2F64FDD794207D0100BB07DA125D2E7D3A566DE6AFFFEC72EDC91352833411CF08AF497210000100100000000010000000300002C0000B40200002801030403C91580280300000C0100000C800E0080030000080300000200000008050000000200002402030403C91580280300000801000003030000080300000200000008050000000000006403030409C91580280300000C0100000C800E00800300000C0100000C800E00C00300000C0100000C800E010003000008010000030300000C01000007800E010003000008030000020300000803000005030000080300000100000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF2900001801000000070000100000FFFF00000000FFFFFFFF290000080000400C2900000C0000400D0A8100192900000C0000400D0A3600190000000800004021
ike 2:dc_tun:2: responder received AUTH msg
ike 2:dc_tun:2: received peer identifier DER_ASN1_DN, CN='femto'
ike 2:dc_tun:2: Validating X.509 certificate
ike 2:dc_tun:2: peer cert, subject='femto', issuer='myCA'
ike 2:dc_tun:2: building fnbam peer candidate list
ike 2:dc_tun:2: FNBAM_GROUP_NAME candidate 'Femto_Devices_CA'
ike 2:dc_tun:2: certificate validation pending
ike 2:dc_tun:2: fnbam reply 'Femto_Devices_CA'
ike 2:dc_tun:2: fnbam matched peer 'Femto_Devices_CA'
ike 2:dc_tun:2: certificate validation succeeded
ike 2:dc_tun:2: signature verification succeeded
ike 2:dc_tun:2: auth verify done
ike 2:dc_tun:2: responder AUTH continuation
ike 2:dc_tun:2: authentication succeeded
ike 2:dc_tun:2: received notify type MOBIKE_SUPPORTED
ike 2:dc_tun:2: processing child notify type MOBIKE_SUPPORTED
ike 2:dc_tun:2: processing notify type MOBIKE_SUPPORTED
ike 2:dc_tun:2: received notify type ADDITIONAL_IP4_ADDRESS
ike 2:dc_tun:2: processing child notify type ADDITIONAL_IP4_ADDRESS
ike 2:dc_tun:2: processing notify type ADDITIONAL_IP4_ADDRESS
ike 2:dc_tun:2: received notify type ADDITIONAL_IP4_ADDRESS
ike 2:dc_tun:2: processing child notify type ADDITIONAL_IP4_ADDRESS
ike 2:dc_tun:2: processing notify type ADDITIONAL_IP4_ADDRESS
ike 2:dc_tun:2: received notify type 16417
ike 2:dc_tun:2: processing child notify type 16417
ike 2:dc_tun:2: processing notify type 16417
ike 2:dc_tun:2: responder creating new child
ike 2:dc_tun:2: mode-cfg type 1 request 0:''
ike 2:dc_tun:2: mode-cfg using allocated IPv4 10.115.0.2
ike 2:dc_tun:2: mode-cfg type 3 request 0:''
ike 2:dc_tun:2:103: peer proposal:
ike 2:dc_tun:2:103: TSi_0 0:0.0.0.0-255.255.255.255:0
ike 2:dc_tun:2:103: TSr_0 0:0.0.0.0-255.255.255.255:0
ike 2:dc_tun:2:dc_tun:103: trying
ike 2:dc_tun: override remote selector with mode-cfg assigned address 10.115.0.2
ike 2:dc_tun:2:dc_tun:103: matched phase2
ike 2:dc_tun:2:103: accepted proposal:
ike 2:dc_tun:2:103: TSi_0 0:10.115.0.2-10.115.0.2:0
ike 2:dc_tun:2:103: TSr_0 0:10.58.0.0-10.58.3.255:0
ike 2:dc_tun:2:dc_tun:103: dialup
ike 2:dc_tun:2:dc_tun:103: incoming child SA proposal:
ike 2:dc_tun:2:dc_tun:103: proposal id = 1:
ike 2:dc_tun:2:dc_tun:103:   protocol = ESP:
ike 2:dc_tun:2:dc_tun:103:      encapsulation = TUNNEL
ike 2:dc_tun:2:dc_tun:103:         type=ENCR, val=AES_CBC (key_len = 128)
ike 2:dc_tun:2:dc_tun:103:         type=INTEGR, val=SHA
ike 2:dc_tun:2:dc_tun:103:         PFS is disabled
ike 2:dc_tun:2:dc_tun:103: matched proposal id 1
ike 2:dc_tun:2:dc_tun:103: proposal id = 1:
ike 2:dc_tun:2:dc_tun:103:   protocol = ESP:
ike 2:dc_tun:2:dc_tun:103:      encapsulation = TUNNEL
ike 2:dc_tun:2:dc_tun:103:         type=ENCR, val=AES_CBC (key_len = 128)
ike 2:dc_tun:2:dc_tun:103:         type=INTEGR, val=SHA
ike 2:dc_tun:2:dc_tun:103:         PFS is disabled
ike 2:dc_tun:2:dc_tun:103: lifetime=10800
ike 2:dc_tun:2: responder preparing AUTH msg
ike 2:dc_tun:2: remote port change 500 -> 4500
ike 2:dc_tun:2: established IKE SA 9a48a5cf7960ff49/11ce56da0c572251
ike 2:dc_tun: adding new dynamic tunnel for 192.168.169.83:4500
ike 2:dc_tun_0: added new dynamic tunnel for 192.168.169.83:4500
ike 2:dc_tun_0:2: local cert, subject='secgw', issuer='myCA'
ike 2:dc_tun_0:2: local CA cert, subject='myCA', issuer='myCA'
ike 2:dc_tun_0:2: mode-cfg assigned (1) IPv4 address 10.115.0.2
ike 2:dc_tun_0:2: mode-cfg send (3) IPv4 DNS(1) 172.20.109.8
ike 2:dc_tun_0:2: mode-cfg send (3) IPv4 DNS(2) 172.20.109.9
ike 2:dc_tun_0:2: enc 2500004D090000003043310B30090603550406130266723111300F0603550407130876616C626F6E6E653111300F060355040A1308666F7274696E6574310E300C06035504031305736563677725000221043082021830820181A003020102020105300D06092A864886F70D0101050500300F310D300B060355040313046D794341301E170D3134303830363039303030305A170D3135303830363039303030305A3043310B30090603550406130266723111300F0603550407130876616C626F6E6E653111300F060355040A1308666F7274696E6574310E300C06035504031305736563677730819F300D06092A864886F70D010101050003818D0030818902818100F123D24B33F73ED9D90ED25FF210D2936E3A3AAA832D8FDE4657AD84814CCA360E59008D0B7EB158F69DE7D4A77EC08D1FCAF910D27A013780A00B8FD2663EED18B9AA9C42A16410A9FCDD3DB606028DE3BD897A01B9A2EF207C673A34DF6DD4472636390D8C3B80E8DC0505EEC9E8A01709D76F812DA32D73262A2A6DA7C27D0203010001A350304E300C0603551D130101FF04023000300B0603551D0F0404030205E0301106096086480186F8420101040403020640301E06096086480186F842010D0411160F786361206365727469666963617465300D06092A864886F70D0101050500038181007A076C818C5441C4E627162590781DA6B9840FF7B44DEBBF403063ABB3EC065F289CF0C7A31E5313472D0A9F936A0D170BEA1BD44B4935086C16B95B06958F9E4E674041E0D08B905D591833E69AB6C179081B6A8FF983721F2A8ACCBF646EF5F885372010CDCEA3D51F52C64318133B43F5C14CEE21834A38F530F0B42D71DD2700020F04308202063082016FA003020102020101300D06092A864886F70D0101050500300F310D300B060355040313046D794341301E170D3133303533303132333230305A170D3233303533303132333230305A300F310D300B060355040313046D79434130819F300D06092A864886F70D010101050003818D0030818902818100DABBEC0E28E7A9EB245371892787B889D7A848CC2D251F9E12440B68DB1F549468E1CBB133B7C0E1012A89679C071CFF9D845774C465E53C198029D517222FB278CB02C1A6F1B83346AE03120A6757A3699BE4F6200F90CC84AB1CB64982FD1BB2908F0F5B3FCAE0345496981068180019E82D029C2445338E42EFC0E476995F0203010001A3723070300F0603551D130101FF040530030101FF301D0603551D0E041604146792D67F8D53378D2FED592B6A4622809C552B26300B0603551D0F040403020106301106096086480186F8420101040403020007301E06096086480186F842010D0411160F786361206365727469666963617465300D06092A864886F70D010105050003818100910E5EE065F5748EC1710C8C99F8F11DCC8D13C0E18256F103E234D857D51E5446269E543D24841ED21BB5D319739207720AD675B99BCD445A6473A1E78EB5525582985CF13ECFDFA0F796CEF0A16D4DE2801FB90B7234EC1B0F69090C73695D7D4511858BA1A3AA70DC1D39EC51CC0B1D060F18C6FE57D91C3B6E50DAEC306B2F0000880100000084743F487022F3423CAA65A63382AC1EB33F7F686CDDDD76C0F8893D53F43E878DEBAF507E556A1EDE26E07BA7A9BA8ED5B81E8F287261B98F92F2588CC52C90B2DAC621A26F2E3693DFE7075B09CB9620E599BFABE37D87005EC106E28FEA738A25ACE5BABA7FE96953B43096156F0FFFF558B6C1BADA6C5EA8E56817FE8F972100002002000000000100040A73000200030004AC146D0800030004AC146D092C00002C00000028010304034697BCF50300000C0100000C800E0080030000080300000200000008050000002D00001801000000070000100000FFFF0A7300020A7300020000001801000000070000100000FFFF0A3A00000A3A03FF0E0D0C0B0A0908070605040302010E
ike 2:dc_tun_0:2:dc_tun:103: replay protection enabled
ike 2:dc_tun_0:2:dc_tun:103: set sa life soft seconds=10789.
ike 2:dc_tun_0:2:dc_tun:103: set sa life hard seconds=10800.
ike 2:dc_tun_0:2:dc_tun:103: IPsec SA selectors #src=1 #dst=1
ike 2:dc_tun_0:2:dc_tun:103: src 0 7 0:10.58.0.0-10.58.3.255:0
ike 2:dc_tun_0:2:dc_tun:103: dst 0 7 0:10.115.0.2-10.115.0.2:0
ike 2:dc_tun_0:2:dc_tun:103: add dynamic IPsec SA selectors
ike 2:dc_tun_0:103: add route 10.115.0.2/255.255.255.255 oif dc_tun_0(42) metric 1 priority 0
ike 2:dc_tun_0:2:dc_tun:103: tunnel 1 of VDOM limit 0/0
ike 2:dc_tun_0:2:dc_tun:103: add IPsec SA: SPIs=4697bcf5/c9158028
ike 2:dc_tun_0:2:dc_tun:103: IPsec SA dec spi 4697bcf5 key 16:0773B82923200A129880974448BAC26D auth 20:13C80A81B454484F032347E98C8FACB0DC1A2BAF
ike 2:dc_tun_0:2:dc_tun:103: IPsec SA enc spi c9158028 key 16:46234F3B41B59E3706E1C9516334B8D6 auth 20:FF14628AE34110C26A90FBB5E4D92506A46BCD98
ike 2:dc_tun_0:2:dc_tun:103: added IPsec SA: SPIs=4697bcf5/c9158028
ike 2:dc_tun_0:2:dc_tun:103: sending SNMP tunnel UP trap
ike 2:dc_tun_0:2: out 9A48A5CF7960FF4911CE56DA0C5722512E20232000000001000005CC240005B02DCD80601C9C6E3D780FED17FF171604DE3E5908684086C401ED9300063A226641BC00578770BE1B533655558C91108D0E6CDF9D3529C824F0294F16C5F271474501262DEC051E8E5D74E0CF91AF1EE1F72AE3CF05513AF00775529DCD874203FA967B192245322E60285FCA2328B63A8B60526EE925874461410114DD8411252860D43BF2141B59FCEAA4468DC434BDDEC8D3208C1283B60A00A31E0F94945D5D3BECBB012B1D35F1953E98F3171C1A0D59EF1E1A7D18175EB9E5F7DB2F862891FC6FD494BE38FA0687D56D3469D08B42A2364A218DCA64B87AD61217833A08B3FA4573C40974906D2D3D8E1CE17D5F87CAD6F0AC05583016057B0C30F557ECBDD34DD4BF0E164FCD0DEA9A4463FE5AF44D92DCFAAF8E6E122C353DABDE99F284EDCE2D258EF49B1E0E7DD6D20DB443456CA4A50C1E3EE1246986C1D5318E3D69086F35CF68123253E96BF637BC371C2923B2D724578B4A1F2351DAAC12A0974FA2EBA3AA20E85DF953B98AC3F1EB7B911CBDE6504FCB601E15E60562ACD1237293AF8117DEB4E1848FBA7AE1AB18947B3B4527EE18D7E52A679BCB7333A1C5F5A23285CB5CC19BAD92A177810989F29596EF3B47188A2ED8F1C633BD7ED5447BD37C100105CBD1741C5D04979E2E2E4DDF2CE0E19544B0D5A441ABAB412853478BDCCDE93FD20217119631E0E84A37F14EF00F94B83074FA4A59135BED7334437120A519EFEAD5FDC06B9E600E602DBB5D1CCF4EB8C9DCEA05FFD485A4320C922DC3C706221486699A9E205C55097B3756F973AC0036F5423F51C349482BD59FAA9743EB709F4B891701047F1F2B5116442E66871C282E1C873D34CCA55602D07989D1EC2C0D85B0C5F4F878FDF7F9EAD716E78BB06354172255E5349C6877CDEDBA32FF8E456E4A9A8C90CF358AEBE8B59B0FF1D92286860B235615F49F7A50E6CBAB0A9D7607653B123B94185B9F34F5FB1C7F6FB40D6F7A719CAB1137B264A4D009B15CD2C84881E35D9B48183EDD05246F68537709CBF151F86E3CD91117F6F20AFA8F6A320C9EB30818C4101F457263AA5191BFACB91157DCE47E96C01A174113705297FB982CB6984C0992872C26F6EC31F75FD46E6B3EE78274F90A938AAB9CC4865AB80095289E00CD9E319272EEA065262E852F4E7DA014E7CFCEC669348C0F2D3DC9BAABF0885F1D4D92952486DE3E721D09A878725DE05474BCF5DD1607573DB791EC19442A0E123980EA904F661C597C7C84DE160BE99F0ABA27A3CC70DAD6B0678A096508F83600A6BAD014422715494958743A731B5B0D3F47E715DF713B77A4F3DF5901482EBD5AB288749168DAFCE697664E7C4B8CA7F5CAE3CF18511EFB5ACAC4F8BEBD26444E14D3C97B237665EC2CCABB93FC0038344F64715CD80A9065A51A445AC82E274527FE029A7251067C80F85508B67B8F8389C66B83B1AD90CA6A2881271E76BE5200CED73BE09C0DBE16A8A414B5475C774AF5596361C4F6896ECF968A1D1E7F6760EDB76DDC6A6BB1D433855333F6C6798678A305C9DD89787543814CFEBB06B3001B135AD34333203A9403E6D617F64B7629DB3E535661888218C6D4FAA87D44A29A76DFC8D27B9F9CAF2ED5B77179DCB6E48142B0FEF2AE464432156636C3E9358E807DDCFA2246C5BFAAB820B8B2EC7AC9635BF8128DE56D5CB220B26F0D447EAA2EC9AD80B78684DF4AF6C5D7478D536D1F6C02848CF22CCD7127E47D1735427CE27D43551D10BDFDEC5028DF6FAEE2D53AFDBA29C7324E7E65E7152C0B213A000896F97B0AAA7A2CAE14D323D4C6A5A21645233938094171E707EDD3BCD16FD20A8CB587FE733E540DBC907D4E0405AA8D8B188F3A86674C7007002F601AAA27D538F89C66C0E075CE68638C4CF296531D11A8BB8B28D1F8C0D6003A38449BFF5D150F7F7B8E00C5C4C892B7AA16B0A71D5BC574BC8E97003EAC67CA2FC0E65FDF4F04339C394471C50D35FD99D462F1781561D5E5FA6989F90A769A8B9CBA0701499ABE310B2A6D22905E389494A36717C5E6EF2FC248F2EA7F
ike 2:dc_tun_0:2: sent IKE msg (AUTH_RESPONSE): 172.31.18.151:4500->192.168.169.83:4500, len=1484, id=9a48a5cf7960ff49/11ce56da0c572251:00000001


In the collected log file, you can now look for 'dec' packets received which are the 'decrypted' packet content.
Then you should copy and paste the 'dec' line to a text file.

In the above example, we copy this 'dec' line into file ike_packet.txt:

9A48A5CF7960FF4911CE56DA0C5722512E202308000000010000044B230000042500004D090000003043310B30090603550406130266723111300F0603550407130876616C626F6E6E653111300F060355040A1308666F7274696E6574310E300C0603550403130566656D746F26000221043082021830820181A003020102020106300D06092A864886F70D0101050500300F310D300B060355040313046D794341301E170D3134303830363039303130305A170D3135303830363039303130305A3043310B30090603550406130266723111300F0603550407130876616C626F6E6E653111300F060355040A1308666F7274696E6574310E300C0603550403130566656D746F30819F300D06092A864886F70D010101050003818D0030818902818100BE5271D56B0C37B4E1DC03B78B24548CB908ED2FB610B07C495BBACCA418FA1C578227ED903364AEE0B50DC13F43AC840E768D253F4C79BC9989C3C1B2D4FD0FF7859F50EC8D77C3C23A8A8C46AAF0B157E1FBA3BF55C1F23ABDC0EE00858A372CBB210FD88C7ED65BE7B0574ADA080E0F8EAD3A592C89215E449216D293145B0203010001A350304E300C0603551D130101FF04023000300B0603551D0F0404030204B0301106096086480186F84201010404030205A0301E06096086480186F842010D0411160F786361206365727469666963617465300D06092A864886F70D01010505000381810059AD494BE888C44260C2AD0208E2BADB8176410E49EE2C77C6DA6F01F2BA6EBB1142E3697412F64E41EB48CAF32A96E8BBB93584A49084AC3B917D6A823DE4C9307FF48DB50BF418197276E9962E2903280FA4A33A98E12A478D6B63F16AEC6425B266B25B76FF1949D6D0F499956A9145FFCEE1AFB116CE0D4364DF497E4E5027000019046F58B23D5B72D0604FD9CB3D4D2BDCF12384EF9D2F000088010000005F02DC2516A69DED4466F564FB4A273BE2D3511D22FE11ECF6D7D45745AA95DC05378956726714BC12A63472578857BC388A2B9B8E92FA6261B4D589194608F100470E2DDF0654D7F11CB8FFB4A74796F9A5AD0161EB93BBD6A04614A2F64FDD794207D0100BB07DA125D2E7D3A566DE6AFFFEC72EDC91352833411CF08AF497210000100100000000010000000300002C0000B40200002801030403C91580280300000C0100000C800E0080030000080300000200000008050000000200002402030403C91580280300000801000003030000080300000200000008050000000000006403030409C91580280300000C0100000C800E00800300000C0100000C800E00C00300000C0100000C800E010003000008010000030300000C01000007800E010003000008030000020300000803000005030000080300000100000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF2900001801000000070000100000FFFF00000000FFFFFFFF290000080000400C2900000C0000400D0A8100192900000C0000400D0A3600190000000800004021

Execute this command (which uses the tool text2pcap) in a Linux environment to remove unwanted characters and convert the raw file to a pcap file:

tr -d '\n' < ike_packet.txt | sed 's/ //g' | sed 's/\(..\)/\1 /g' | sed 's/^/00000 /' | text2pcap -u 500,500 - ike_packet.pcap

The -u <srcp>,<destp> option of text2pcap will add an UDP packet header with source port 500 and destination port 500.

Once the pcap has been generated, you can open it using wireshark and look for IKE negotiation exchange:

fgilloteau_ike_wireshark.jpg


2103
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.