IKEv2 is the backbone for modern IPsec VPNs—providing a robust, extensible key exchange, authentication, and SA management framework. When an IKEv2 VPN connection fails or behaves poorly, packet-level analysis with Wireshark is indispensable. This article walks you through a systematic, technical approach to debugging IKEv2 VPN connections using Wireshark, focusing on practical steps, filters, protocol semantics, and common root causes.
Preparation: captures, environment and Wireshark settings
Before you begin analyzing, gather the best possible packet captures and configure Wireshark to make your life easier.
- Capture on both ends if possible. Capturing on the VPN gateway and on the client (or the remote gateway) reduces ambiguity introduced by NAT, asymmetric routing, or packet drops.
- Use full-packet capture and correct snapshot length. Use tcpdump -s0 -w ikev2.pcap to preserve all bytes (including payloads and certificates).
- Capture UDP ports 500 and 4500 and ESP packets. Typical capture filter:
udp port 500 or udp port 4500 or proto 50. Alternatively capture all traffic then narrow in Wireshark. - Disable name resolution during analysis. Resolve Names off (View → Name Resolution) to keep analysis deterministic and fast.
- Prefer high-resolution timestamps. Packet timing often reveals retransmissions, RTTs, and timeouts.
- Save original captures. Keep raw pcap files; avoid editing them in ways that strip useful metadata.
Understand the IKEv2 message flow
IKEv2 consists of logical phases and message types that you should recognize in packet traces:
- IKE_SA_INIT – Negotiates cryptographic algorithms (SA payloads), exchanges DH (KE) and nonces (Ni, Nr). Sets up the initial IKE SA parameters, NAT detection, and optional cookies.
- IKE_AUTH – Authenticates endpoints (AUTH payload), exchanges certificates or ID information, and creates CHILD_SA(s) carrying the IPsec SAs used to protect data (ESP).
- CREATE_CHILD_SA – Used for establishing or rekeying CHILD SAs (ESP) after initial authentication.
- INFORMATIONAL – Handles delete notifications, status messages, and error reporting.
Recognizing these stages in Wireshark helps you locate the point of failure quickly.
Essential Wireshark filters and views for IKEv2
Use these filters and views to zoom into the relevant packets.
ikev2— display all IKEv2 messages.udp.port == 500 || udp.port == 4500— show standard IKE and NAT-T traffic.ip.proto == 50oresp— show ESP packets (IPsec payloads).ikev2.msgtype == 34— filter by specific IKEv2 message type (numeric codes in Wireshark for message types like IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA etc.).ikev2.flags.resp == 1— show responses, useful to see whether server replies are present.- Use the packet list time column and right-click → Follow → UDP Stream for a focused conversation between two endpoints on IKE ports.
Quick look: detect NAT traversal and NAT binding
IKEv2 supports NAT detection and NAT-T. Look for NAT-OA and NAT-DA payloads (NAT discovery), and for UDP port 4500 (NAT-T encapsulation). Common signs of NAT issues:
- Client sends to server on UDP/500, but server replies to a different source port—NAT changed the port causing authentication failure.
- Presence of Notify payloads like NAT_DETECTED or NAT_DETECTED_V2.
- Switch to UDP/4500 encapsulation (ESP-in-UDP) once NAT is detected—packets will show UDP/4500 and an outer ESP header.
Step-by-step packet analysis workflow
Follow a focused sequence to maximize clarity and minimize wasted effort.
1. Identify the initial IKE_SA_INIT
Filter for ikev2 and locate the first packets in the exchange. The initiator sends an IKE_SA_INIT request containing:
- SA payload: proposed encryption, PRF, integrity (AUTH), and DH group (e.g., AES-GCM-crypto, AES-CBC + HMAC-SHA2, PRF = HMAC-SHA2).
- KE payload: initiator’s Diffie-Hellman public value.
- Ni: initiator nonce.
Check that the responder’s SA payload contains acceptable transforms that match one of the initiator’s proposals. If proposals don’t match, expect an informative Notify response or failure in the IKE_AUTH phase.
2. Inspect KE (DH) and Nonce values
KE and Nonce exchanges establish the shared secret. Look for:
- DH group mismatches—if one side uses group 14 and the other expects group 19, the key agreement fails.
- Malformed KE payloads or truncated values (possibly due to capture snaplen problems or middlebox interference).
3. Look at cookies and retransmissions
Some servers send a COOKIE in response to unauthenticated IKE_SA_INIT to prevent resource exhaustion. If you see repeated retransmissions or IKE_SA_INIT requests without progressing, investigate:
- Does the client include the received cookie in subsequent requests?
- Are retransmissions spaced with exponential backoff? Timers can indicate an endpoint not receiving replies.
4. Verify IKE_AUTH
IKE_AUTH carries AUTH payloads, certificates (CERT), and ID payloads. In this phase:
- Confirm correct IDi/IDr (identities). Certificates must match expected subjects or SANs.
- AUTH payloads will contain either a signature (RSA/ECDSA) or an HMAC (for PSK). A mismatch here indicates incorrect credentials or a wrong PSK.
- Certificate chain issues: partial chains, untrusted CA, or expired certs show in certificate validation logs and sometimes as Notify messages.
5. Examine CHILD_SA and ESP traffic
Once the CHILD_SA is created, payloads are protected. ESP packets (proto 50) will carry encrypted traffic. For ESP-level troubleshooting:
- Check SAs’ SPIs (Security Parameters Index). The IP header will show the SPI in the beginning of ESP payload—Wireshark will decode it if keys are available.
- If you see ESP but no decrypted inner packets: ensure Wireshark has the correct keys (see below), or confirm the SA actually completed successfully.
- Look for ICMP fragmentation needed or retransmissions indicating MTU/PMTU problems—large traffic may be black-holed without PMTU discovery.
Decrypting IKEv2 and ESP in Wireshark
Wireshark can decode IKEv2 messages by default. Decrypting ESP requires key material exported from your VPN software.
- ISE/Debug logs: On strongSwan, use swanctl –list-sas or charon’s VICI interface to obtain the CHILD SA keys and SPIs. On Openswan/Libreswan use ipsec statusall or log files to get keys.
- Importing keys: In Wireshark: Edit → Preferences → Protocols → IPsec or ESP (version-dependent). You can add manual SA entries with SPI, algorithms, and keys. The exact format varies between Wireshark versions; consult your Wireshark help for syntax (typically includes SPI hex and encryption/auth keys).
- Key types needed: For ESP you need the negotiated encryption key and integrity key (if used), and the SPI. For IKEv2 EAP-based authentication, you may need additional derivation if using nested keys; check your VPN daemon’s export utilities.
Note: exporting keys from production systems has security implications—handle with care and remove keys from analysis machines afterward.
Common failure modes and how to spot them
Here are frequent root causes you can detect in packet traces and suggested corrective actions.
Mismatched crypto proposals
Symptoms: IKE_SA_INIT completes with a Notify or IKE_AUTH fails. Look at SA payload differences—one side’s proposals do not include a shared transform. Fix by aligning proposals (encryption, integrity, PRF, DH group) on both peers.
Authentication failures
Symptoms: IKE_AUTH response with AUTH_FAILED notify, or no response after IKE_AUTH. Investigate:
- PSK mismatch—AUTH is typically HMAC; verify PSKs on both sides or use debug logs.
- Certificate validation errors—examine CERT payloads, serials, CN/SAN, and chain completeness.
NAT and address rewriting
Symptoms: Server receives IKE_SA_INIT but replies to an unexpected port; later packets are dropped. Check NAT-OA/NAT-DA detection payloads and look for replies going to different UDP ports. Fix NAT mapping, enable NAT traversal, or configure endpoint to use UDP/4500.
Fragmentation and PMTU
Symptoms: Large packets fail after SA establishment, intermittent TCP timeouts, or “ICMP fragmentation needed” ICMP messages. Solution: lower MTU/MSS on tunnel endpoints or enable IP fragmentation and path MTU discovery fixes.
ESP decryption failures
Symptoms: ESP packets visible but not decodable. Confirm correct SPI and keys; ensure SA wasn’t rekeyed mid-stream (look for CREATE_CHILD_SA exchanges and new SPIs). If rekeying occurred, older keys may expire and new keys need importing.
Practical tips and advanced techniques
- Match packet timestamps with logs. Correlating daemon logs (charon, racoon, etc.) with packet times often pinpoints the exact error condition and why a message was generated.
- Watch for retransmissions and timeouts. Repeated identical payloads with increasing time gaps indicate lost packets or blocked ports.
- Use two-capture correlation. If you can capture on both sides, match packets by payload hashes, nonces, or KE values—this confirms whether a message traversed correctly through networks and NATs.
- Check phase lifetimes and rekey behavior. IKE SAs and CHILD SAs have lifetimes and rekey schedules—unexpected rekeys can cause transient failures, especially during high-traffic periods.
- Use Wireshark expert info. The Expert Info window (Analyze → Expert Information) flags malformed packets, retransmits, and decoding issues in one place.
Summary and final checklist
To systematically debug IKEv2 with Wireshark:
- Capture fully on relevant interfaces with proper filters and full packet length.
- Identify IKE_SA_INIT → IKE_AUTH → CHILD_SA flow and verify SA proposals and KE/Nonces.
- Check for NAT detection, cookies, and UDP/4500 encapsulation where necessary.
- Validate authentication (PSK or certificates) and verify IDs and certificate chains.
- For ESP issues, export and import keys to Wireshark to decrypt or verify SPIs and rekeying events.
- Correlate packet captures with VPN daemon logs for precise root-cause analysis.
Following this methodical approach gives you the best chance to quickly identify and resolve IKEv2 VPN problems—whether caused by crypto mismatches, authentication failures, NAT, MTU issues, or rekeying anomalies.
For additional resources, guides, and service options related to dedicated IP VPNs and IKEv2 setup, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.