Changes
/* Decrypt the traffic */
Analysing the traffic capture, we can find IPSec encrypted traffic between two endpoints 10.13.38.122 and 10.13.37.70. Fortunately, the Fortinet debug output gives us the session keys that can be used to decrypt ESP traffic directly in wireshark.
[[File:Screenshot_2018-03-24_12-29-48.png|frame|none|alt=|caption Configuring ESP SAs]]
[[File:Screenshot_2018-03-24_20-58-36.png|frame|none|alt=|caption Configuring IKEv1 Decryption Table]]
This packet shows us the actual target of this challenge:
<pre>24 4.503228 10.13.38.122 10.249.251.10 DNS 170 Standard query 0x6561 A intranet.gloup.adds OPT</pre>
== Crack the PSK ==
