How to get IPSec encrytpion key for a specific session – The Cisco Learning Network
https://learningnetwork.cisco.com/thread/4654
Memory string preceding per-session IPSec keys in an IOS core dump: 00 00 00 00 63 C0 60 0C 63 C0 60 1C 07 D0 00 19 00 00 00 00 63 C0 60 0C 63 C0 60 1C 07 D0 00 19
Exactly 16 bytes after B8 begins the inbound encryption key, which is 24 bytes long. Immediately after the encryption key is the 16 byte authentication key. Once these are sussed out, they can be used to decode a wireshark capture for troubleshooting purposes. These keys are not the pre-shared key; they are the derived session key that changes periodically based on time or bytes sent.
Leave a Reply