Lab 13-2: Basic Site-to-Site IPSec VPN and NAT Figure 13-2 Configuring Basic Site-to-Site IPSec VPN and NAT Figure 13-2 illustrates the topology that will be used in the following lab. Cisco-decrypt - decrypts an obfuscated Cisco vpn client pre-shared key Synopsis. Cisco-decrypt pre-shared key> Description. This command accompanies vpnc.It decrypts the obfuscated pre-shared key from *.pcf-configuration files, which must be specified on the command line.
I am reading up on IPSec, and was wondering if I could use wireshark to decrypt ESP packets from IPSEC transport mode sessions that are using a preshared key. From reading, I have gathered that even if the preshared key is already known, it still isn't trivial to decrypt ESP packets because of the ISAKMP process. It looks like a core dump of the router is needed to get the Encryption and Authentication Keys needed for wireshark. Is this my interpretation of this accurate, and could anyone explain how ISAKMP makes so information from the endpoint is needed? I am having trouble finding explanation that doesn't require more background in cryptography than I have (for example, ) (But maybe that is because it can't be explained otherwise?). Sounds like you're understanding it correctly.
The reason you need data from one of the endpoints is because ISAKMP is changing keys periodically and Cisco doesn't provide a 'nice way' to access that information. The dumps on each side just let you see what the current key is.
![Decrypt Decrypt](/uploads/1/2/5/3/125383540/981574308.gif)
It wouldn't be necessary if one of the peers had a utility to retrieve the negotiated keys as they changed. Edit: It should be noted that to do this he is using a virtual router, not a real router for those unfamiliar with GNS3/Dynamips/Dynagen. He's also stated that if you were creating this VPN using certain linux services rather than a cisco router you would just be able to query the current key without issue.