AES - Advanced Encryption Standard ==================================== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is AES?** AES stands for Advanced Encryption Standard. It’s a symmetric encryption algorithm used to securely encrypt and decrypt data. AES is widely used to protect sensitive information in files, emails, network communications, and databases. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is AES useful?** * Data privacy and security are critical today. AES helps by: * Encrypting data so unauthorized users can’t read it. * Ensuring confidentiality during storage or transmission. * Providing fast, strong encryption resistant to attacks. * Without AES, sensitive data like passwords and financial info could be easily intercepted. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Key generation – A secret key (128, 192, or 256 bits) is chosen, shared by sender and receiver. * Encryption – Plaintext is transformed into ciphertext using AES and the key. * Transmission/Storage – Ciphertext is sent or stored securely. * Decryption – The receiver uses the key to restore plaintext from ciphertext. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is AES used?** * Secure websites (HTTPS) encrypt web traffic. * Wi-Fi security (WPA2/WPA3) uses AES. * File encryption tools (BitLocker, VeraCrypt, 7-Zip). * Messaging apps with end-to-end encryption (Signal, WhatsApp). * VPNs and secure tunnels to protect data in transit. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * AES operates primarily at the Presentation Layer (Layer 6). * Encryption/decryption transform data before it reaches the application. * It ensures confidentiality and proper formatting for application consumption. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is AES Windows specific?** No. * AES is a widely used symmetric encryption algorithm. * It is platform-independent and implemented across Windows, Linux, macOS, and more. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is AES Linux specific?** No. * AES is not Linux specific. * Supported on Linux through numerous cryptographic libraries. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by AES?** * AES is an encryption algorithm, not a protocol. * It can be used within protocols like TLS (which uses TCP), IPSec (which can use UDP or TCP), etc. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by AES?** * AES itself does not use any ports. * Ports depend on the protocol (e.g., HTTPS uses TCP 443) that employs AES encryption. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is AES using Client server model?** No. * AES is a cryptographic algorithm, not a communication model. * It can be used in both client-server and peer-to-peer communication for encrypting data. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`AES Version&RFC Details ` * :ref:`AES Basic Setup on Ubuntu using IPv4 ` * :ref:`AES Basic Setup on Ubuntu using IPv6 ` * :ref:`AES Protocol Packet Details ` * :ref:`AES Usecases ` * :ref:`AES Basic Features ` * :ref:`AES Feature : Symmetric Key Cipher ` * :ref:`AES Feature : Block Cipher ` * :ref:`AES Feature : Key Sizes ` * :ref:`AES Feature : Number of Rounds ` * :ref:`AES Feature : Substitution-Permutation Network (SPN) ` * :ref:`AES Feature : Fast and Efficient ` * :ref:`AES Feature : Strong Security ` * :ref:`AES Feature : Widely Adopted ` * :ref:`AES Feature : Flexible Modes of Operation ` * :ref:`Reference links ` .. _AES_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _AES_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _AES_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _AES_step5: .. tab-set:: .. tab-item:: AES Version&RFC Details .. csv-table:: :file: ./AES/aes_rfc_details.csv :widths: 10,10,10,30 :header-rows: 1 .. _AES_step19: .. tab-set:: .. tab-item:: AES Basic Setup on Ubuntu using IPv4 **AES IPsec VPN Setup on Ubuntu with strongSwan(IPv4)** * This guide explains how to configure a basic AES-encrypted IPsec VPN tunnel between two Ubuntu machines. Prerequisites: * Two Ubuntu machines: - Server IP: 192.168.56.10 (test1) - Client IP: 192.168.56.11 (test2) * Both machines have strongSwan installed. * UFW firewall enabled (optional but recommended). * Step 1: Install strongSwan On both machines, run: .. code-block:: shell test1:~$sudo apt update test1:~$sudo apt install strongswan test2:~$sudo apt update test2:~$sudo apt install strongswan * Step 2: Configure IPsec ### Server Configuration (`/etc/ipsec.conf`) .. code-block:: shell config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2" conn aesvpn auto=add keyexchange=ikev2 authby=secret left=192.168.56.10 leftid=@server leftsubnet=192.168.56.0/24 right=192.168.56.11 rightid=@client rightsubnet=192.168.56.0/24 ike=aes256-sha256-modp2048! esp=aes256-sha256! ### Client Configuration (`/etc/ipsec.conf`) .. code-block:: shell config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2" conn aesvpn auto=start keyexchange=ikev2 authby=secret left=192.168.56.11 leftid=@client leftsubnet=192.168.56.0/24 right=192.168.56.10 rightid=@server rightsubnet=192.168.56.0/24 ike=aes256-sha256-modp2048! esp=aes256-sha256! * Step 3: Set Pre-Shared Key On both machines, edit `/etc/ipsec.secrets` to add: .. code-block:: shell test1:~$@server @client : PSK "SuperSecretKey123!" test2:~$@client @server : PSK "SuperSecretKey123!" * Step 4: Configure UFW Firewall Rules .. code-block:: shell test1:~$sudo ufw allow 500,4500/udp test1:~$sudo ufw allow in proto esp from 192.168.56.11 test1:~$sudo ufw allow out proto esp to 192.168.56.11 test1:~$sudo ufw reload .. code-block:: shell test2:~$sudo ufw allow 500,4500/udp test2:~$sudo ufw allow in proto esp from 192.168.56.10 test2:~$sudo ufw allow out proto esp to 192.168.56.10 test2:~$sudo ufw reload * Step 5: Start and Enable strongSwan Service On both machines: .. code-block:: shell test1:~$sudo ipsec restart test2:~$sudo ipsec restart * Step 6: Initiate the VPN Connection .. code-block:: shell test2:~$sudo ipsec up aesvpn **Example Output:** initiating IKE_SA aesvpn[1] to 192.168.56.10 generating IKE_AUTH request 1 [ IDi CERTREQ ] sending packet: from 192.168.56.11[4500] to 192.168.56.10[4500] (1400 bytes) received packet: from 192.168.56.10[4500] to 192.168.56.11[4500] (1400 bytes) parsed IDr payload: ID_IPV4_ADDR: 192.168.56.10 received CERT request for "C=US, O=strongSwan, CN=server" sending packet: from 192.168.56.11[4500] to 192.168.56.10[4500] (1400 bytes) IKE_AUTH response processed established IKE_SA aesvpn[1] successfully establishing CHILD_SA aesvpn{1} sending packet: from 192.168.56.11[4500] to 192.168.56.10[4500] (1400 bytes) received packet: from 192.168.56.10[4500] to 192.168.56.11[4500] (1400 bytes) established CHILD_SA aesvpn{1} successfully (Optional) On the server machine: .. code-block:: shell test1:~$sudo ipsec up aesvpn * Step 7: Verify VPN Status On either machine, check the IPsec connection status: .. code-block:: shell test1:~$sudo ipsec statusall **Example Output:** Security Associations (1 up, 0 connecting): aesvpn[1]: ESTABLISHED 4 minutes ago, 192.168.56.11[client]...192.168.56.10[server] IKEv2 SPIs: 123456789abcdef0_i 123456789abcdef0_r, rekeying in 10 minutes CHILD_SA aesvpn{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3f8e1a3_i 7d4b2c6e_o AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ lifetime: 1h0m, bytes_i: 1500, bytes_o: 1200 Connections: aesvpn: 192.168.56.11...192.168.56.10 IKEv2, dpddelay=30s * Step 8: Test Connectivity .. code-block:: shell test2:~$ping 192.168.56.10 * Step 9: Capture IPsec (AES) Packets with Wireshark * Launch Wireshark on either machine. * Use the filter to capture ESP (IPsec encrypted) packets: * You should observe ESP packets flowing between `192.168.56.10` and `192.168.56.11`. * Step-10: Capture the test using Wireshark. :download:`Download Wireshark capture ` **How to Decrypt IPsec ESP Packets in Wireshark** ESP traffic is encrypted using session keys negotiated during the IKE exchange. Decryption is only possible under specific conditions. **Option 1: Using strongSwan’s charon log (IKEv2)** Wireshark can use the IKE traffic (captured during tunnel setup) to derive ESP keys **if**: - You captured the IKE_SA negotiation (UDP 500 or 4500). - The encryption uses **IKEv2** and **no PFS (Perfect Forward Secrecy)**, or keys are known. - You have the **pre-shared key (PSK)** used. Steps: 1. Capture the full handshake (IKE_SA and CHILD_SA). 2. In Wireshark: - Go to `Edit` → `Preferences` → `Protocols` → `ISAKMP`. - Set the "IKEv2 decryption table" with: - Initiator/responder IPs - PSK: `"SuperSecretKey123!"` 3. Enable `ESP` decryption in `Protocols → ESP`. 4. Wireshark will automatically attempt to decrypt the ESP stream. **Option 2: Exporting Keys Manually** *(Advanced)* You can patch `strongSwan` to log keys to a file (requires rebuild with debug options), or use external plugins to extract keys. This method is complex and not always reliable. **Important Note:** IPsec use **Perfect Forward Secrecy** (PFS) with **ephemeral keys**, so **you cannot decrypt ESP traffic by default** without capturing the IKE negotiation or extracting keys in real time. **Apache HTTPS and SSL Key Logging with AES Encryption Test Case (loaclhost)** * To verify that an Apache HTTPS server can be configured with a self-signed SSL certificate, and HTTPS traffic can be decrypted using SSL key logging and Wireshark. * Step-1: Install Apache Web Server .. code-block:: shell test:~$ sudo apt update test:~$ sudo apt install apache2 -y * Step-2: Allow Apache through the firewall .. code-block:: shell test:~$ sudo ufw allow 'Apache Full' test:~$ sudo ufw enable test:~$ sudo ufw status * Step-3: Generate a self-signed SSL certificate .. code-block:: shell test:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/selfsigned.key \ -out /etc/ssl/certs/selfsigned.crt Enter values when prompted: - Country: IN - State: Karnataka - City: Bangalore - Organization: Personal - Organizational Unit: IT - Common Name: localhost * Step-4: Configure Apache for SSL .. code-block:: shell test:~$ sudo nano /etc/apache2/sites-available/selfsigned.conf Paste the following: .. code-block:: shell ServerAdmin webmaster@localhost DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/ssl/certs/selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/selfsigned.key Options Indexes FollowSymLinks AllowOverride None Require all granted ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined * Step-5: Enable SSL module and site configuration .. code-block:: shell test:~$ sudo a2enmod ssl test:~$ sudo a2ensite selfsigned.conf test:~$ sudo systemctl reload apache2 * Step-6: Create a custom HTML page .. code-block:: shell test:~$ cd /var/www/html test:~$ sudo mv index.html index.html.bak test:~$ sudo nano index.html Paste the following HTML: .. code-block:: shell My Custom Page

Welcome to My Website!

This is a custom page served by Apache on HTTPS.

* Step-7: Set file permissions .. code-block:: shell test:~$ sudo chown www-data:www-data /var/www/html/index.html test:~$ sudo chmod 644 /var/www/html/index.html * Step-8: Restart Apache .. code-block:: shell test:~$ sudo systemctl restart apache2 * Step-9: Test HTTPS in browser Open your browser and go to: https://localhost You should see your custom HTML page over HTTPS. * Step-10: Export SSL Key Log Environment Variable .. code-block:: shell test:~$ export SSLKEYLOGFILE=$HOME/sslkeys.log * Step-11: Make an HTTPS request using curl .. code-block:: shell test:~$ curl -k https://localhost Expected output: .. code-block:: shell My Custom Page

Welcome to My Website!

This is a custom page served by Apache on HTTPS.

* Step-12: Confirm that SSL keys were logged .. code-block:: shell test:~$ cat ~/sslkeys.log Example contents: .. code-block:: shell CLIENT_HANDSHAKE_TRAFFIC_SECRET ... SERVER_HANDSHAKE_TRAFFIC_SECRET ... CLIENT_TRAFFIC_SECRET_0 ... SERVER_TRAFFIC_SECRET_0 ... EXPORTER_SECRET ... * Step-13: Capture HTTPS traffic using Wireshark - Start Wireshark and select the appropriate network interface - Begin packet capture - Do curl -k https://localhost - Stop the capture after traffic is generated * Step-14: Configure Wireshark to use SSL key log - Go to: ``Edit > Preferences > Protocols > TLS`` - Set **(Pre)-Master-Secret log filename** to: /home/username/sslkeys.log - Click **OK** - Reload the capture file * Expected result: - Apache serves the custom HTML page via HTTPS - `curl` and browser successfully connect - SSL keys are logged in ``sslkeys.log`` - Wireshark captures: * TLS handshake and application data * Decrypted HTTP packets when filtered by `http` * Step-15: Wireshark Capture :download:`Download wireshark capture ` **HTTPS Traffic Inspection Using SSLKeyLog Between Client Server** * To verify that HTTPS traffic between a client and a server can be decrypted using SSL key logging and inspected in Wireshark. * SERVER SETUP — 192.168.0.10 * Step-1: Set a static IP (if not already configured) .. code-block:: shell test1$ ip a Confirm that the server's IP is 192.168.0.10. If not, configure a static IP using `/etc/netplan` or your network manager. * Step-2: Apache HTTPS Setup If not already done, install Apache and configure SSL: .. code-block:: shell test1$ sudo apt update test1$ sudo apt install apache2 openssl -y Generate a self-signed certificate (make sure CN = 192.168.0.10): .. code-block:: shell test1$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/selfsigned.key \ -out /etc/ssl/certs/selfsigned.crt Configure Apache virtual host: .. code-block:: shell test1$ sudo nano /etc/apache2/sites-available/selfsigned.conf Paste the following config: .. code-block:: apache ServerName 192.168.0.10 DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/ssl/certs/selfsigned.crt SSLCertificateKeyFile /etc/ssl/private/selfsigned.key Require all granted Enable the SSL site and module: .. code-block:: shell test1$ sudo a2enmod ssl test1$ sudo a2ensite selfsigned.conf test1$ sudo systemctl restart apache2 * Step-3: Confirm Apache is listening on port 443 .. code-block:: shell test1$ sudo ss -tuln | grep 443 LISTEN 0 128 * :443 ... * CLIENT SETUP — 192.168.0.11 * Step-4: Verify network connectivity to the server .. code-block:: shell test2$ ping 192.168.0.10 * Step-5: Test HTTPS access .. code-block:: shell test2$ curl -k https://192.168.0.10 Expected: HTML content from Apache server. * Step-6: Enable SSL Key Logging .. code-block:: shell test2$ export SSLKEYLOGFILE=$HOME/sslkeys.log Re-run the HTTPS request to generate secrets: .. code-block:: shell test2$ curl -k https://192.168.0.10 Check the log: .. code-block:: shell test2$ cat ~/sslkeys.log You should see lines like: .. code-block:: text CLIENT_TRAFFIC_SECRET_0 ... SERVER_HANDSHAKE_TRAFFIC_SECRET ... CLIENT_HANDSHAKE_TRAFFIC_SECRET ... * Step-7: Capture HTTPS traffic using Wireshark Run Wireshark on the **client** In Wireshark: - Capture traffic on the active interface (e.g., `eth0`) - Apply the following display filter: ip.addr == 192.168.0.10 && ip.addr == 192.168.0.11 * Step-8: Configure Wireshark to use SSL key log - Go to: ``Edit > Preferences > Protocols > TLS`` - Set: (Pre)-Master-Secret log filename = /home/youruser/sslkeys.log - Reload the capture file * Expected Result: - Client successfully connects to server via HTTPS - SSL key log file is generated on client - Wireshark decrypts the HTTPS session using `sslkeys.log` - Decrypted HTTP content is visible in Wireshark * Step-9: Wireshark Capture :download:`Download wireshark capture ` **SSH Setup Using AES256-CTR Encryption** * To verify that an SSH session can be securely established using AES-256-CTR encryption and confirmed through Wireshark packet inspection. * Setup Environment * Client: test2 (192.168.56.10) * Server: test1 (192.168.56.11) * Goal: Force AES-256-CTR cipher in SSH and verify via Wireshark. * Step-1: Install OpenSSH on Both Machines .. code-block:: shell test1$ sudo apt update test1$ sudo apt install openssh-server openssh-client -y test2$ sudo apt update test2$ sudo apt install openssh-server openssh-client -y * Step-2: Start and Enable SSH on the Server .. code-block:: shell test1$ sudo systemctl enable ssh test1$ sudo systemctl start ssh test1$ sudo systemctl status ssh * If using UFW firewall: .. code-block:: shell test1$ sudo ufw allow ssh * Step-3: Check Supported SSH Ciphers on the Client .. code-block:: shell test2$ ssh -Q cipher aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com chacha20-poly1305@openssh.com ... This confirms that `aes256-ctr` is supported by your SSH client. * Step-4: Connect Using AES-256-CTR Cipher .. code-block:: shell test2$ ssh -c aes256-ctr your_username@192.168.56.11 Replace `your_username` with a valid user on `test1`. This enforces AES-256-CTR cipher during the SSH session. * Step-5: (Optional) Make AES Cipher Permanent via SSH Config .. code-block:: shell test2$ nano ~/.ssh/config Add the following lines: .. code-block:: shell Host 192.168.56.11 User your_username Ciphers aes256-ctr * Step-6: Capture SSH Packets Using Wireshark - Run Wireshark on either `test1`, `test2`, or a system in between. - Start packet capture on the active network interface. - Use the display filter: ip.addr == 192.168.56.10 && ip.addr == 192.168.56.11 * Step-7: Analyze Encryption Algorithm in Wireshark - Locate one of the SSH handshake packets (e.g., Frame 45). - Expand the **SSH Protocol** section. - Look for a line similar to: SSH Version 2 (encryption:aes256-ctr compression:none) This confirms that AES-256-CTR was negotiated and used for encryption. Important Note on Decryption: SSH traffic **cannot** be decrypted in Wireshark—even when the cipher (like `aes256-ctr`) is known—because SSH uses **strong encryption mechanisms with ephemeral session keys** and employs **Perfect Forward Secrecy (PFS)**. This means: - Session keys are generated per connection and discarded after use. - They are **not logged or recoverable**, even by the client or server. - Tools like Wireshark cannot decrypt SSH traffic unless the keys are exposed via insecure implementations (which modern OpenSSH does not allow). Unlike HTTPS (which can use SSLKEYLOGFILE to export secrets), **SSH offers no practical method for decrypting live or recorded traffic.** * Step-8: Wireshark Capture :download:`Download wireshark capture ` **DNS over TLS Setup Using Unbound** * To configure DNS over TLS (DoT) using Unbound DNS server and verify secure, encrypted DNS resolution. Additionally, export TLS keys to allow decryption of DNS packets in Wireshark. Test Environment: - Server: test1 (192.168.0.10) - Client: test2 (192.168.0.11) Server-Side Configuration (test1): * Step 1: Install Unbound .. code-block:: shell test1$ sudo apt update test1$ sudo apt install unbound -y * Step 2: Generate TLS Certificates .. code-block:: shell test1$ sudo mkdir -p /etc/unbound/private test1$ sudo openssl req -newkey rsa:2048 -nodes \ -keyout /etc/unbound/private/server.key \ -x509 -days 365 \ -out /etc/unbound/private/server.pem test1$ sudo chown -R unbound:unbound /etc/unbound/private test1$ sudo chmod 700 /etc/unbound/private test1$ sudo chmod 600 /etc/unbound/private/server.* * Step 3: Configure Unbound Edit `/etc/unbound/unbound.conf`: .. code-block:: shell test1$ sudo nano /etc/unbound/unbound.conf include-toplevel: "/etc/unbound/unbound.conf.d/* .conf" server: interface: 0.0.0.0 port: 853 username: unbound directory: "/etc/unbound" tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt" tls-service-key: "/etc/unbound/private/server.key" tls-service-pem: "/etc/unbound/private/server.pem" verbosity: 1 remote-control: control-enable: yes access-control: 192.168.0.0/24 allow * Step 4: Allow Firewall Traffic on Port 853 Using UFW: .. code-block:: shell test1$ sudo ufw allow 853/tcp Or using iptables: .. code-block:: shell test1$ sudo iptables -A INPUT -p tcp --dport 853 -j ACCEPT * Step 5: Start and Enable Unbound .. code-block:: shell test1$ sudo systemctl restart unbound test1$ sudo systemctl enable unbound Client-Side Configuration (test2): * Step 1: Install Tools .. code-block:: shell test2$ sudo apt update test2$ sudo apt install dnsutils knot-dnsutils -y * Step 2: Export SSL Keys for Decryption Set the environment variable to log TLS session keys: .. code-block:: shell test2$ export SSLKEYLOGFILE=$HOME/sslkeys.log Then perform the DNS query: .. code-block:: shell test2$ kdig +tls @192.168.0.10 example.com Verify that the session keys are logged: .. code-block:: shell test2$ cat ~/sslkeys.log Expected entries: .. code-block:: text CLIENT_HANDSHAKE_TRAFFIC_SECRET ... SERVER_HANDSHAKE_TRAFFIC_SECRET ... CLIENT_TRAFFIC_SECRET_0 ... SERVER_TRAFFIC_SECRET_0 ... * Step 3: Allow Firewall Traffic (if needed) .. code-block:: shell test2$ sudo ufw allow 853/tcp * Step-4: Wireshark Decryption Configuration 1. Open Wireshark. 2. Capture traffic between test1 and test2. 3. Go to: `Edit` → `Preferences` → `Protocols` → `TLS` 4. Set the **(Pre)-Master-Secret log filename** to: /home/test2/sslkeys.log 5. Restart capture or open the saved pcapng 6. Filter: ip.addr == 192.168.0.10 && ip.addr == 192.168.0.11 7. Look inside decrypted TLS packets to see DNS query/response in plaintext. **Important Notes** - DNS over TLS uses **ephemeral keys**, but since `kdig` uses OpenSSL, and we exported `SSLKEYLOGFILE`, decryption in Wireshark is possible. - This method **only works if the client app uses OpenSSL and honors `SSLKEYLOGFILE`**. - SSH and other protocols that use Perfect Forward Secrecy but do not expose keys cannot be decrypted this way. **Troubleshooting Tips** - Check file permissions: .. code-block:: shell test1$ sudo chown -R unbound:unbound /etc/unbound/private test1$ sudo chmod 700 /etc/unbound/private test1$ sudo chmod 600 /etc/unbound/private/server.* - Validate Unbound configuration: .. code-block:: shell test1$ sudo unbound-checkconf - Check for logs: .. code-block:: shell test1$ sudo journalctl -u unbound -f * Step-5: Wireshark Capture :download:`Download wireshark capture ` **DHCP over AES-encrypted IPsec VPN using strongSwan and DHCP Relay on Ubuntu** * This test case verifies successful DHCP IP address assignment over an AES-encrypted IPsec VPN tunnel using strongSwan and a DHCP relay between two Ubuntu machines. Setup Overview: - VPN Tunnel: AES-encrypted IPsec between Server and Client - Server (VPN + DHCP): 192.168.56.10 - Client (VPN + DHCP Relay): 192.168.56.11 * Step-1: Install strongSwan on Both Machines On both server and client: .. code-block:: shell test:~$ sudo apt update test:~$sudo apt install strongswan * Step-2: Configure IPsec with AES Server (192.168.56.10) Edit ``/etc/ipsec.conf``: .. code-block:: shell config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2" conn aesvpn auto=add keyexchange=ikev2 authby=secret left=192.168.56.10 leftid=@server leftsubnet=192.168.56.0/24 right=192.168.56.11 rightid=@client rightsubnet=192.168.56.0/24 ike=aes256-sha256-modp2048! esp=aes256-sha256! Client (192.168.56.11) Edit ``/etc/ipsec.conf``: .. code-block:: shell config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2" conn aesvpn auto=start keyexchange=ikev2 authby=secret left=192.168.56.11 leftid=@client leftsubnet=192.168.56.0/24 right=192.168.56.10 rightid=@server rightsubnet=192.168.56.0/24 ike=aes256-sha256-modp2048! esp=aes256-sha256! * Step-3: Set Pre-Shared Key (PSK) On both machines, edit ``/etc/ipsec.secrets``: .. code-block:: shell @server @client : PSK "SuperSecretKey123!" * Step-4: Allow IPsec Ports on Both Machines .. code-block:: shell test1:~$sudo ufw allow 500,4500/udp test1:~$sudo ufw allow in proto esp from 192.168.56.11 test1:~$sudo ufw allow out proto esp to 192.168.56.11 test1:~$sudo ufw reload .. code-block:: shell test2:~$sudo ufw allow 500,4500/udp test2:~$sudo ufw allow in proto esp from 192.168.56.10 test2:~$sudo ufw allow out proto esp to 192.168.56.10 test2:~$sudo ufw reload * Step-5: Start strongSwan .. code-block:: shell sudo systemctl restart strongswan-starter sudo systemctl enable strongswan-starter On client, initiate the tunnel: .. code-block:: shell test2:~$sudo ipsec up aesvpn * Step-6: Install DHCP Server on Server (192.168.56.10) .. code-block:: shell test1:~$sudo apt install isc-dhcp-server Configure DHCP server by editing ``/etc/dhcp/dhcpd.conf``: .. code-block:: shell subnet 192.168.56.0 netmask 255.255.255.0 { range 192.168.56.100 192.168.56.150; option routers 192.168.56.1; option domain-name-servers 8.8.8.8; } Start DHCP server: .. code-block:: shell test1:~$sudo systemctl restart isc-dhcp-server * Step-7: Install and Configure DHCP Relay on Client (192.168.56.11) Install relay agent: .. code-block:: shell test2:~$sudo apt install isc-dhcp-relay Edit ``/etc/default/isc-dhcp-relay``: .. code-block:: shell SERVERS="192.168.56.10" INTERFACES="eth0" OPTIONS="" * Replace ``eth0`` with the actual interface name (use ``ip a`` to find it).* Start and enable relay service: .. code-block:: shell test2:~$sudo systemctl restart isc-dhcp-relay test2:~$sudo systemctl enable isc-dhcp-relay * Step-8: Test the Setup Check VPN status: .. code-block:: shell test2:~$sudo ipsec statusall You should see the ``aesvpn`` connection INSTALLED. Request an IP via DHCP on client: .. code-block:: shell test2:~$sudo dhclient -v eth0 You should receive an IP within the DHCP server range. * Step-9: Wireshark Capture. :download:`Download wireshark capture ` **TLS Communication with AES** * To verify TLS communication using AES encryption, capture encrypted packets with Wireshark, and decrypt them using exported TLS session keys. * Setup Environment * Server: test1 (192.168.0.10) * Client: test2 (192.168.0.11) * Goal: Establish TLS connection with AES cipher, capture and decrypt traffic in Wireshark. * Step-1: Generate TLS Certificate and Private Key on Server .. code-block:: shell test1:~$ openssl req -x509 -newkey rsa:2048 -nodes -keyout server.key -out server.crt -days 365 * Step-2: Start TLS Server on Server (using AES cipher) .. code-block:: shell test1:~$ openssl s_server -accept 4443 -cert server.crt -key server.key -cipher AES256 Server listens on port 4443, keep terminal open. * Step-3: Connect from Client and Log TLS Session Keys .. code-block:: shell test2:~$ openssl s_client -connect 192.168.0.10:4443 -keylogfile ~/sslkeylog.log Type message (e.g., "hello") and press Enter to send encrypted data. Verify key log file: .. code-block:: shell test2:~$ cat ~/sslkeylog.log Confirm presence of `CLIENT_RANDOM` entries. * Step-4: Capture Packets Using Wireshark - Start Wireshark on any host/VM in the network. - Capture on the interface connected to 192.168.0.x network. - Optional capture filter: tcp.port == 4443 * Step-5: Decrypt TLS Traffic in Wireshark - Open Wireshark capture. - Go to: Edit → Preferences → Protocols → TLS - Set (Pre)-Master-Secret log filename to: /home/youruser/sslkeylog.log - Click OK. Wireshark will decrypt TLS packets automatically. Right-click a TLS packet → Follow → TLS Stream to view plaintext. * Important Notes on Decryption - Decryption requires exported session keys via `-keylogfile`. - Without keys, TLS traffic remains encrypted due to ephemeral keys and PFS. - This differs from SSH where no practical key export exists. * Step-6: Wireshark Capture :download:`Download wireshark capture ` **WSS (WebSocket Secure) Setup with AES** * To establish a secure WebSocket connection (`wss://`) between a Node.js server and client using TLS (AES encryption) and decrypt the traffic using Wireshark by exporting TLS session keys. * Setup Environment * Server: test1 (192.168.0.10) * Client: test2 (192.168.0.11) * Goal: Enable WSS, capture encrypted traffic, and decrypt using exported keys. * Prerequisites * Both machines have Node.js and npm installed. * Wireshark installed on the host or one of the VMs. * `wscat` installed on client for WebSocket testing. * Step-1: Prepare WSS Server on test1 .. code-block:: shell test1:~$ mkdir -p ~/ws-server/certs test1:~$ cd ~/ws-server * Step-2: Generate TLS Certificate and Key .. code-block:: shell test1:~/ws-server$ openssl req -x509 -nodes -days 365 \ -newkey rsa:2048 \ -keyout certs/key.pem \ -out certs/cert.pem \ -subj "/CN=192.168.0.10" * Step-3: Create WSS Server Script .. code-block:: shell test1:~/ws-server$ nano server.js Paste the following: .. code-block:: shell const fs = require('fs'); const https = require('https'); const WebSocket = require('ws'); const server = https.createServer({ cert: fs.readFileSync(__dirname + '/certs/cert.pem'), key: fs.readFileSync(__dirname + '/certs/key.pem') }); const wss = new WebSocket.Server({ server, path: '/ws' }); wss.on('connection', (ws) => { console.log('Client connected'); ws.send('Hello from backend WebSocket server'); ws.on('message', (message) => { console.log('Received:', message.toString()); ws.send(`You said: ${message}`); }); ws.on('close', () => { console.log('Client disconnected'); }); }); server.listen(3000, () => { console.log('HTTPS WebSocket server listening on port 3000'); }); * Step-4: Install Dependencies .. code-block:: shell test1:~/ws-server$ npm init -y test1:~/ws-server$ npm install ws * Step-5: Enable Key Logging for TLS Decryption Set the `SSLKEYLOGFILE` variable to log session keys: .. code-block:: shell test1:~/ws-server$ export SSLKEYLOGFILE=~/tlskeylog.log test1:~/ws-server$ node server.js HTTPS WebSocket server listening on port 3000 * Step-6: Install wscat and Connect from Client .. code-block:: shell test2:~$ sudo npm install -g wscat Connect to WSS server (skipping TLS verification due to self-signed cert): .. code-block:: shell test2:~$ wscat -n -c wss://192.168.0.10:3000/ws --no-check Connected (press CTRL+C to quit) < Hello from backend WebSocket server > You can now exchange messages. * Step-7: Capture Packets with Wireshark - Start Wireshark on host or either VM. - Begin capturing on the interface connected to `192.168.0.x`. - Use capture filter: tcp.port == 3000 * Step-8: Decrypt WSS Traffic in Wireshark - On the system with `SSLKEYLOGFILE`, open Wireshark. - Go to: Edit → Preferences → Protocols → TLS - Set the (Pre)-Master-Secret log file path: /home/youruser/tlskeylog.log - Load your `.pcapng` file. - Wireshark will now decrypt the WSS stream. Right-click → "Follow" → "TLS Stream" to see the plaintext WebSocket messages. * Important Notes - The `SSLKEYLOGFILE` method works because Node.js (via OpenSSL) supports session key export. - This setup demonstrates end-to-end encrypted WebSocket communication and successful decryption using key logging. * Optional: Allow Port in Firewall (if needed) .. code-block:: shell test1:~$ sudo ufw allow 3000 * Step-9: Wireshark Capture :download:`Download wireshark capture ` **FTPS (Explicit TLS) Setup with AES Encryption using vsftpd** * This guide demonstrates how to set up a secure FTPS server using vsftpd and connect using `lftp` from a client machine. Encryption is enforced using TLS (with AES) and verified via packet capture. * Setup Environment * Server: test1 (192.168.56.10) * Client: test2 (192.168.56.11) * Goal: Enable secure file transfer over FTPS with AES encryption and verify via Wireshark. * Step-1: Install vsftpd on Server .. code-block:: shell test1:~$ sudo apt-get update test1:~$ sudo apt-get install vsftpd -y * Step-2: Configure vsftpd for Explicit TLS (FTPS) Edit `/etc/vsftpd.conf` and ensure the following settings are applied: .. code-block:: shell local_enable=YES write_enable=YES chroot_local_user=YES allow_writeable_chroot=YES ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES rsa_cert_file=/etc/ssl/certs/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.key pasv_enable=YES pasv_min_port=40000 pasv_max_port=40100 ssl_ciphers=HIGH * Step-3: Generate Self-Signed Certificate .. code-block:: shell test1:~$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/ssl/private/vsftpd.key \ -out /etc/ssl/certs/vsftpd.pem \ -subj "/CN=192.168.56.10" * Step-4: Restart vsftpd .. code-block:: shell test1:~$ sudo systemctl restart vsftpd * Step-5: Allow Ports in UFW Firewall .. code-block:: shell test1:~$ sudo ufw allow 21/tcp test1:~$ sudo ufw allow 40000:40100/tcp test1:~$ sudo ufw reload * Step-6: Create FTP User .. code-block:: shell test1:~$ sudo adduser ftpuser # Set password when prompted Ensure `ftpuser` has a valid home directory and write permissions. * Step-7: Connect via lftp from Client .. code-block:: shell test2:~$ lftp -u ftpuser 192.168.56.10 Enter the password when prompted. * Step-8: Configure FTPS (TLS) Settings in lftp Inside the `lftp` prompt, run: .. code-block:: shell set ftp:ssl-force true set ftp:ssl-protect-data true set ftp:ssl-protect-list yes set ftp:passive-mode on set ssl:verify-certificate no * Step-9: Test FTP Commands .. code-block:: shell lftp> ls lftp> put send_rarp_request.c lftp> get send_rarp_request.c -o send_rarp_request_new.c * Step-10: Capture and Verify FTPS in Wireshark - Start Wireshark on either test1 or test2. - Use this display filter: tcp.port == 21 || (tcp.port >= 40000 && tcp.port <= 40100) - Look for `AUTH TLS`, `TLS Handshake`, and `Encrypted Alert` packets. - Encryption used: AES (TLS_RSA_WITH_AES_256_CBC_SHA or similar depending on negotiation). - Decryption is possible only if the session keys are logged using `SSLKEYLOGFILE` environment variable. * TLS Decryption with Wireshark To decrypt FTPS traffic: 1. Export the session key on the client (or server) using: .. code-block:: shell test2:~$ export SSLKEYLOGFILE=~/ftps_keys.log test2:~$ lftp -u ftpuser 192.168.56.10 2. In Wireshark: - Navigate to `Edit → Preferences → Protocols → TLS` - Set the `(Pre)-Master-Secret log filename` to the path of `ftps_keys.log` 3. Load the `.pcap` file and Wireshark will decrypt TLS streams. Not all versions of lftp/OpenSSL support exporting `SSLKEYLOGFILE`. If unsupported, decryption will not be possible. * Step-11: Wireshark Capture :download:`Download Wireshark Capture ` * Notes - **Explicit FTPS** uses port 21 for control and negotiates TLS via `AUTH TLS`. - **Passive data ports** (40000–40100) must be opened for file transfers to work. - Use `ftp://` or raw IP with lftp. Do **not** use `ftps://` for explicit FTPS. - To avoid certificate warnings during testing, disable cert verification using: set ssl:verify-certificate no **MQTT over TLS (Mosquitto Broker & Client) with AES Encryption** * This guide sets up secure MQTT communication over TLS (port 8883) using Mosquitto. TLS encryption (with AES) is verified and decrypted using Wireshark. * Setup Environment * Broker: test1 (192.168.56.11) * Client: test2 (192.168.56.10) * TLS Port: 8883 * Goal: Secure MQTT with TLS and decrypt traffic using session keys. * Step-1: Generate TLS Certificates (on Broker) .. code-block:: shell test1:~$ openssl genrsa -out ca.key 2048 test1:~$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/CN=MQTT Test CA" test1:~$ openssl genrsa -out server.key 2048 test1:~$ openssl req -new -out server.csr -key server.key -subj "/CN=192.168.56.11" test1:~$ openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \ -CAcreateserial -out server.crt -days 365 * Step-2: Configure Mosquitto for TLS .. code-block:: shell test1:~$ sudo mkdir -p /etc/mosquitto/certs test1:~$ sudo cp server.crt server.key ca.crt /etc/mosquitto/certs/ test1:~$ sudo chown mosquitto:mosquitto /etc/mosquitto/certs/*.crt /etc/mosquitto/certs/*.key test1:~$ sudo chmod 640 /etc/mosquitto/certs/*.crt /etc/mosquitto/certs/*.key Create config file `/etc/mosquitto/conf.d/tls.conf`: .. code-block:: shell listener 8883 cafile /etc/mosquitto/certs/ca.crt certfile /etc/mosquitto/certs/server.crt keyfile /etc/mosquitto/certs/server.key require_certificate false tls_version tlsv1.2 Confirm `/etc/mosquitto/mosquitto.conf` includes: .. code-block:: shell include_dir /etc/mosquitto/conf.d Restart Mosquitto: .. code-block:: shell test1:~$ sudo systemctl restart mosquitto * Step-3: Copy CA Certificate to Client .. code-block:: shell test1:~$ cp /etc/mosquitto/certs/ca.crt ~/ test2:~$ scp pavithra@192.168.56.11:~/ca.crt ~/ * Step-4: Build MQTT TLS Client in C (on Client) .. code-block:: shell test2:~$ sudo apt install git cmake gcc libssl-dev -y test2:~$ git clone https://github.com/eclipse/paho.mqtt.c.git test2:~$ cd paho.mqtt.c test2:~/paho.mqtt.c$ mkdir build && cd build test2:~/paho.mqtt.c/build$ cmake .. -DPAHO_WITH_SSL=TRUE \ -DOPENSSL_ROOT_DIR=/usr \ -DOPENSSL_INCLUDE_DIR=/usr/include/openssl \ -DOPENSSL_LIBRARIES=/usr/lib/x86_64-linux-gnu test2:~/paho.mqtt.c/build$ make test2:~/paho.mqtt.c/build$ sudo make install test2:~$ sudo ldconfig * Step-5: Write and Compile the TLS MQTT C Client Save the following as `mqtt_tls_client.c`: .. code-block:: shell #include #include #include #include "MQTTClient.h" #define ADDRESS "ssl://192.168.56.11:8883" #define CLIENTID "CClient" #define TOPIC "test/topic" #define QOS 1 #define TIMEOUT 10000L int main() { MQTTClient client; MQTTClient_connectOptions conn_opts = MQTTClient_connectOptions_initializer; MQTTClient_SSLOptions ssl_opts = MQTTClient_SSLOptions_initializer; int rc; if ((rc = MQTTClient_create(&client, ADDRESS, CLIENTID, MQTTCLIENT_PERSISTENCE_NONE, NULL)) != MQTTCLIENT_SUCCESS) { printf("Failed to create client: %d\n", rc); return -1; } ssl_opts.trustStore = "/home/pavithra/ca.crt"; ssl_opts.enableServerCertAuth = 1; conn_opts.keepAliveInterval = 20; conn_opts.cleansession = 1; conn_opts.ssl = &ssl_opts; if ((rc = MQTTClient_connect(client, &conn_opts)) != MQTTCLIENT_SUCCESS) { printf("Failed to connect, return code %d\n", rc); MQTTClient_destroy(&client); return -1; } printf("Connected to MQTT broker via TLS.\n"); if ((rc = MQTTClient_subscribe(client, TOPIC, QOS)) != MQTTCLIENT_SUCCESS) { printf("Failed to subscribe, return code %d\n", rc); MQTTClient_disconnect(client, 10000); MQTTClient_destroy(&client); return -1; } while (1) { char* topicName = NULL; int topicLen; MQTTClient_message* message = NULL; rc = MQTTClient_receive(client, &topicName, &topicLen, &message, TIMEOUT); if (rc == MQTTCLIENT_SUCCESS && message != NULL) { printf("Message received: %.*s\n", message->payloadlen, (char*)message->payload); MQTTClient_freeMessage(&message); MQTTClient_free(topicName); } } MQTTClient_disconnect(client, 10000); MQTTClient_destroy(&client); return 0; } Compile the client: .. code-block:: shell test2:~$ gcc -Wall -o mqtt_tls_client mqtt_tls_client.c \ -I/usr/include/openssl \ -L/usr/local/lib -lpaho-mqtt3cs -lssl -lcrypto \ -Wl,-rpath,/usr/local/lib * Step-6: Run with TLS Key Logging .. code-block:: shell test2:~$ export SSLKEYLOGFILE=~/mqtt_keys.log test2:~$ export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH test2:~$ ./mqtt_tls_client Connected to MQTT broker via TLS. Message received: Hello over TLS * Step-7: Publish Message to Topic (From Another Terminal) .. code-block:: shell test2:~$ mosquitto_pub -h 192.168.56.11 -p 8883 \ --cafile ~/ca.crt \ --tls-version tlsv1.3 \ -t test/topic -m "Hello over TLS" * Step-8: (Optional) Subscribe and Publish Using mosquitto_sub .. code-block:: shell test2:~$ mosquitto_sub -h 192.168.56.11 -p 8883 \ --cafile ~/ca.crt -t test/topic -d test2:~$ mosquitto_pub -h 192.168.56.11 -p 8883 \ --cafile ~/ca.crt -t test/topic -m "Secure test message" -d * Step-9: Decrypt TLS in Wireshark - Open Wireshark - Go to: Edit → Preferences → Protocols → TLS - Set the **(Pre)-Master-Secret log filename** to:/home/pavithra/mqtt_keys.log - Load the pcap file and decrypt the MQTT TLS traffic. - Use display filter: tcp.port == 8883 - Right-click a TLS packet → "Follow TLS stream" → View decrypted content. * Step-10: Wireshark Capture :download:`Download Wireshark Capture ` .. _AES_step20: .. tab-set:: .. tab-item:: AES Basic Setup on Ubuntu using IPv6 **AES IPsec VPN Setup on Ubuntu with strongSwan (IPv6)** * This guide explains how to configure a basic AES-encrypted IPsec VPN tunnel between two Ubuntu machines using IPv6 addressing. Prerequisites: * Two Ubuntu machines with IPv6 addresses: - Server IPv6: fd00:56::10 (test1) - Client IPv6: fd00:56::11 (test2) * Both machines have strongSwan installed. * UFW firewall enabled (optional but recommended). * Step 1: Install strongSwan On both machines, run: .. code-block:: shell test1:~$ sudo apt update test1:~$ sudo apt install strongswan test2:~$ sudo apt update test2:~$ sudo apt install strongswan * Step 2: Configure IPsec ### Server Configuration (`/etc/ipsec.conf`) .. code-block:: shell config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2" conn aesvpn auto=add keyexchange=ikev2 authby=secret left=fd00:56::10 leftid=@server leftsubnet=fd00:56::/64 right=fd00:56::11 rightid=@client rightsubnet=fd00:56::/64 ike=aes256-sha256-modp2048! esp=aes256-sha256! ### Client Configuration (`/etc/ipsec.conf`) .. code-block:: shell config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2" conn aesvpn auto=start keyexchange=ikev2 authby=secret left=fd00:56::11 leftid=@client leftsubnet=fd00:56::/64 right=fd00:56::10 rightid=@server rightsubnet=fd00:56::/64 ike=aes256-sha256-modp2048! esp=aes256-sha256! * Step 3: Set Pre-Shared Key On both machines, edit `/etc/ipsec.secrets` to add: .. code-block:: shell test1:~$ @server @client : PSK "SuperSecretKey123!" test2:~$ @client @server : PSK "SuperSecretKey123!" * Step 4: Configure UFW Firewall Rules Server (fd00:56::10): .. code-block:: shell test1:~$ sudo ufw allow 500,4500/udp test1:~$ sudo ufw allow in proto esp from fd00:56::11 test1:~$ sudo ufw allow out proto esp to fd00:56::11 test1:~$ sudo ufw reload Client (fd00:56::11): .. code-block:: shell test2:~$ sudo ufw allow 500,4500/udp test2:~$ sudo ufw allow in proto esp from fd00:56::10 test2:~$ sudo ufw allow out proto esp to fd00:56::10 test2:~$ sudo ufw reload * Step 5: Start and Enable strongSwan Service On both machines: .. code-block:: shell test1:~$ sudo ipsec restart test2:~$ sudo ipsec restart * Step 6: Initiate the VPN Connection .. code-block:: shell test2:~$ sudo ipsec up aesvpn **Example Output:** initiating IKE_SA aesvpn[1] to fd00:56::10 generating IKE_AUTH request 1 [ IDi CERTREQ ] sending packet: from fd00:56::11[4500] to fd00:56::10[4500] (1400 bytes) received packet: from fd00:56::10[4500] to fd00:56::11[4500] (1400 bytes) parsed IDr payload: ID_IPV6_ADDR: fd00:56::10 received CERT request for "C=US, O=strongSwan, CN=server" sending packet: from fd00:56::11[4500] to fd00:56::10[4500] (1400 bytes) IKE_AUTH response processed established IKE_SA aesvpn[1] successfully establishing CHILD_SA aesvpn{1} sending packet: from fd00:56::11[4500] to fd00:56::10[4500] (1400 bytes) received packet: from fd00:56::10[4500] to fd00:56::11[4500] (1400 bytes) established CHILD_SA aesvpn{1} successfully (Optional) On the server machine: .. code-block:: shell test1:~$ sudo ipsec up aesvpn * Step 7: Verify VPN Status On either machine: .. code-block:: shell test1:~$ sudo ipsec statusall **Example Output:** Security Associations (1 up, 0 connecting): aesvpn[1]: ESTABLISHED 4 minutes ago, fd00:56::11[client]...fd00:56::10[server] IKEv2 SPIs: 123456789abcdef0_i 123456789abcdef0_r, rekeying in 10 minutes CHILD_SA aesvpn{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3f8e1a3_i 7d4b2c6e_o AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ lifetime: 1h0m, bytes_i: 1500, bytes_o: 1200 Connections: aesvpn: fd00:56::11...fd00:56::10 IKEv2, dpddelay=30s * Step 8: Test Connectivity .. code-block:: shell test2:~$ ping6 fd00:56::10 * Step 9: Capture IPsec (AES) Packets with Wireshark * Launch Wireshark on either machine. * Use the filter to capture ESP (IPsec encrypted) packets: * You should observe ESP packets flowing between `fd00:56::10` and `fd00:56::11`. * Step 10: Capture the test using Wireshark. :download:`Download Wireshark capture ` .. _AES_step6: .. tab-set:: .. tab-item:: AES Protocol Packet Details **AES Encryption Packet** .. csv-table:: :file: ./AES/aes_packet1_details.csv :widths: 10,20,30,10 :header-rows: 1 **AES Decryption Packet** .. csv-table:: :file: ./AES/aes_packet2_details.csv :widths: 10,20,30,10 :header-rows: 1 .. _AES_step7: .. tab-set:: .. tab-item:: AES Usecases .. csv-table:: :file: ./AES/aes_usecases.csv :widths: 10,20,30 :header-rows: 1 .. _AES_step8: .. tab-set:: .. tab-item:: AES Basic Features .. csv-table:: :file: ./AES/aes_features.csv :widths: 10,10,30 :header-rows: 1 .. _AES_step9: .. tab-set:: .. tab-item:: AES Feature : Symmetric Key Cipher **Symmetric Key Cipher - Testcases** .. csv-table:: :file: ./AES/aes_feature1_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step10: .. tab-set:: .. tab-item:: AES Feature : Block Cipher **Block Cipher - Testcases** .. csv-table:: :file: ./AES/aes_feature2_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step11: .. tab-set:: .. tab-item:: AES Feature : Key Sizes **Key sizes - Testcases** .. csv-table:: :file: ./AES/aes_feature3_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step12: .. tab-set:: .. tab-item:: AES Feature : Number of Rounds **Number of Rounds - Testcases** .. csv-table:: :file: ./AES/aes_feature4_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step13: .. tab-set:: .. tab-item:: AES Feature : Substitution-Permutation Network (SPN) **Substitution-Permutation Network (SPN) - Testcases** .. csv-table:: :file: ./AES/aes_feature5_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step14: .. tab-set:: .. tab-item:: AES Feature : Fast and Efficient **Fast and Efficient - Testcases** .. csv-table:: :file: ./AES/aes_feature6_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step15: .. tab-set:: .. tab-item:: AES Feature : Strong Security **Strong Security - Testcases** .. csv-table:: :file: ./AES/aes_feature7_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step16: .. tab-set:: .. tab-item:: AES Feature : Widely Adopted **Widely Adopted - Testcases** .. csv-table:: :file: ./AES/aes_feature8_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step17: .. tab-set:: .. tab-item:: AES Feature : Flexible Modes of Operation **Flexible Modes of Operation - Testcases** .. csv-table:: :file: ./AES/aes_feature9_test_cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _AES_step18: .. tab-set:: .. tab-item:: Reference links * Reference links