Daniel Munteanu
Ixia Senior Product Specialist, Development
Blog

Unlock Your IPsec Testing with Easy Access to IxLoad Encryption Keys

September 23, 2016 by Daniel Munteanu

Keys1

All IPsec infrastructure owners testing their IPsec deployments go through a similar set of reoccurring pain points. For those of you in this position, think about how much time are you spending to successfully establish and run traffic through an IPsec tunnel when setting up a new test bed from the first attempt.

One of the reasons why this initial stretch is so cumbersome is the difficulty associated with decrypting the packet capture for potential error codes or other related information.

This is all changing now: when validating IPsec devices and deployments with Ixia`s IxLoad, encryption keys can be now exported with the click of a single button.

The Pains of Debugging IPsec

Although very mature and stable, IPsec is not a trivial technology. There are multiple moving parts and a deep level of understanding is required to match them all to work seamlessly. 

It usually takes a fair amount of time to successfully establish and run traffic through the first IPsec tunnel and sort out all the different cryptographic parameters and configuration details. An inherent part of this process is debugging the first attempts. Obviously the first steps are to enable the debugging mode on the DUT (device under test) and also view the error messages on IxLoad to monitor where things might go wrong.

While this is extremely helpful, it might be that it is not enough and the next step would be to inspect the actual packets being exchanged between the two IPsec peers. But with the exception of the first few messages, depending on the IKE version being used, the actual conversation is being encrypted – or at least the relevant ISAKMP payloads and the actual data-plane communication (we will not go into the details of IPsec and its different flavors since this is not the scope of my blog). To decrypt these messages, the encryption keys are needed and extracting them is anything but easy.

For IxLoad IPsec users, all these challenges are now history. Even from the very first test, IxLoad has a new option to export the encryption keys so that the actual communication between IxLoad`s emulated IPsec clients and the DUT can be readily seen in cleartext. The keys can be exported with the click of a button and they are intelligently exported in the folder where Wireshark stores by default its keys files. Opening the packet capture (which can be acquired using IxLoad`s Analyzer functionality) with Wireshark will automatically show the communication in cleartext.

How Does it Work?

Now let`s go through such an example and see if it’s really that simple. One of the most common use cases is when IxLoad is emulating a large number of remote access IPsec clients connecting to a real VPN gateway that “protects” a number of hosts and resources located on the cleartext side. A simple diagram will look as follows:

Keys2The first step is to configure IxLoad to emulate at least one IPsec client (and the cleartext Server) and validate that the IPsec tunnel is successfully brought up and is passing basic data-plane traffic. Once validated, the test can be scaled up.

I have been through something similar recently, and I am sure that this is familiar to many of you as well: in my scenario, the IPsec tunnel was brought up successfully but when trying to run data-plane traffic, none of the transactions were successful. So let`s debug that.

The statistics were as follows:

  • First, it was obvious that the IPsec tunnel was up and running:

Keys3

  • But then when looking at the data-plane traffic, there was no actual L7 traffic being exchanged:

Keys4

Looking at the VPN gateway side, everything was looking fine but still no data packets were being received on the cleartext side, or the emulated HTTP server in my case.

The next option was to check the packet capture. Below is a snapshot of the packet capture acquired using IxLoad Analyzer functionality:

Keys5

While I could see that the IPsec tunnel was established (which is consistent with the IxLoad statistics) there is not much indication about why data-plane traffic is not successfully exchanged. We can see some ESP packets, but they are encrypted and we cannot tell much. To see what`s inside the packets, we need the encryption keys. As mentioned, extracting these keys is not trivial and oftentimes quite time consuming.

Now is the time for a solution to speed things up. Starting with version 8.10, IxLoad offers the ability to easily export these encryption keys. Navigate to the IPsec -> Network Group Setting menu, and a new button is available for this purpose alone;

Keys6

When we press this button, both IKE and ESP keys are intelligently exported in the folder where Wireshark stores by default its keys files (%AppData%\Wireshark).

Keys7

Tips:

  • To generate these encryption keys, make sure that the Logging Level (Plug-in Settings -> IPsec tab) is set on KEYS or higher:

Keys8

  • Encryption keys for all tunnels are exported even when running a test with more IPsec tunnels
  • To export the encryption keys, the test should be stopped and unconfigured

As soon as the associated packet capture is open in Wireshark, the entire communication is magically decrypted:

Keys9

Pinpointing what was wrong with the data-plane traffic is now a walk in the park: it was a simple configuration issue, where the IPsec clients were configured to connect to a wrong HTTP server IP address that did not exist (i.e. 70.0.0.10) instead of correct one: 70.0.0.1

Tip: To have the ESP packets decrypted as well (i.e. data-plane traffic), the following Wireshark option needs to be enabled: (Edit->Preferences->Protocols->ESP: “Attempt to detect/decode encrypted ESP payloads”):

Keys10

The same procedure decrypts the control-plane IPsec tunnel negotiation as well (e.g., decrypts the ISAKMP payloads) that are useful to conduct various investigations (mainly related to IPsec tunnel establishment) or quickly check that the parameters that are being exchanged are as expected:

Keys11

Conclusion

While troubleshooting and debugging is fun and challenging, nobody wants to spend time on tasks that are only intermediary steps in this process. Relying on tools that can help streamline this process is something that translates in increased productivity and efficiency.

When validating IPsec deployments, IxLoad not only offers the means to assess the scalability, performance, and stability of the device or system under test, but it also takes an extra step in providing valuable information when it comes to debugging and troubleshooting.