[Question] IKEv2 message "IKE AUTH" can't decode

[markwangsm]

Hi P1sec,

I use pycrate "IKEv2.py" to try to parse IKEv2 message. For the IKE_INIT message, it can decode it successfully. But for IKE_AUTH message, because it need to decipher it first, I use the wireshark preferences "IKEv2_decryption_table" to decipher it and then I copy payload and send it to my test code。For the test result ， I can get the header message but the payload message is empty。 How could I use the IKEv2.py to decode IKE_AUTH payload ?

===== test code ===== `import sys import re import binascii

from pycrate_crypto.IKEv2 import IKEv2

bytes=binascii.unhexlify("IKE AUTH PDU Payload")

pdu = IKEv2() pdu.from_bytes(bytes)

print(pdu)`

==test result ==== python3 ikev2_test.py : <IKEv2 : <Header : <SPIInitiator : 0xXXXXXXXXX><SPIResponder : 0xXXXXXXXXXX><Next : 46><VersMaj : 2><VersMin : 0><ExchType : 35 (IKE_AUTH)><Flags : <undef : 0x0><R : 0><V : 0><I : 1><undef : 0x0>><MID : 0xXXXXXX>>>

[p1-bmu]

Your IKEv2 header indicates next payload is 46, which corresponds to an IKEv2 Encrypted Payload with the following structure: https://github.com/P1sec/pycrate/blob/e30acd6242fcd3e6ee551e9fe9ddf9d665ce822d/pycrate_crypto/IKEv2.py#L626

But here, you provide a buffer that has already been decrypted and hence reformatted in some way by wireshark, I suppose this triggers an error when decoding the 1st payload and stops there. And if you try to decode the encrypted IKEv2 IKE_AUTH buffer with pycrate, it will certainly succeed (otherwise, there is a bug somewhere). So, you need to find your way on how wireshark reformat the decrypted IKE_AUTH message, and how to deal with it in pycrate.