There is an alternative way to visualise ISAKMP messages in Wireshark which handles any encryption algorithm because it uses Mikrotik’s own decryption.
Instead of copying the decryption key from Mikrotik’s log, you copy the decrypted received packet bytes, reformat them to form up a hexdump text, and import that hexdump to Wireshark. But before doing that, you have to change the LSB of the byte at offset 19 (0x13) to 0 to indicate that the packet contents is not encrypted.
Example:
17:16:08 ipsec,debug decrypted.
17:16:08 ipsec,debug cf799370 3348f607 b93a5364 dff8e5c1 08102001 d07af856 000000bc 01000018
17:16:08 ipsec,debug bbdc223a 45e440a6 08cdc9f9 f76330d8 7dd34ee3 0a000034 00000001 00000001
17:16:08 ipsec,debug 00000028 01030401 051362b2 0000001c 030c0000 80010001 80020708 80040004
17:16:08 ipsec,debug 80060100 80050002 0500001c d63a6d7e 34482207 4854d91a cd3939fc 5b8f2cee
17:16:08 ipsec,debug 069bbca6 0500000c 011106a5 c0a805ad 1500000c 011106a5 c0a80a58 1500000c
17:16:08 ipsec,debug 01001194 0a000005 0000000c 01001194 c0a80a58 61b34e5d 7b4c7d07converts into
0000 cf 79 93 70 33 48 f6 07 b9 3a 53 64 df f8 e5 c1 08 10 20 01 d0 7a f8 56 00 00 00 bc 01 00 00 18
0020 bb dc 22 3a 45 e4 40 a6 08 cd c9 f9 f7 63 30 d8 7d d3 4e e3 0a 00 00 34 00 00 00 01 00 00 00 01
0040 00 00 00 28 01 03 04 01 05 13 62 b2 00 00 00 1c 03 0c 00 00 80 01 00 01 80 02 07 08 80 04 00 04
0060 80 06 01 00 80 05 00 02 05 00 00 1c d6 3a 6d 7e 34 48 22 07 48 54 d9 1a cd 39 39 fc 5b 8f 2c ee
0080 06 9b bc a6 05 00 00 0c 01 11 06 a5 c0 a8 05 ad 15 00 00 0c 01 11 06 a5 c0 a8 0a 58 15 00 00 0c
00a0 01 00 11 94 0a 00 00 05 00 00 00 0c 01 00 11 94 c0 a8 0a 58 61 b3 4e 5d 7b 4c 7d 07
Byte at offset 19 has a value of 01, so you change it to 00:
0000 cf 79 93 70 33 48 f6 07 b9 3a 53 64 df f8 e5 c1 08 10 20 01 d0 7a f8 56 00 00 00 bc 01 00 00 18
v
0000 cf 79 93 70 33 48 f6 07 b9 3a 53 64 df f8 e5 c1 08 10 20 00 d0 7a f8 56 00 00 00 bc 01 00 00 18
…Then, you save the result to a file. A space MUST follow the last hex digit on the last line of the hex dump.
As the last step you use the “Import from Hex Dump” functionality of Wireshark to import the file, adding an UDP “dummy header” with source port 500 or 4500 as appropriate.