Title: When IPsec VPNs Come Under Attack
1When IPsec VPNsCome Under Attack
2Man-in-the-Middle
Step 1 Enterprise AP uses Internet Key Exchange
(IKE) to perform XAUTH authentication with a
malicious user posing as a legitimate client.
Step 3 Malicious user forms a valid IPsec VPN
with the enterprise LAN and disconnects the
legitimate user.
VPN Concentrator
Legitimate User
Malicious User Hybrid client/AP
Step 2 Malicious user broadcasts as if he were
an AP, and uses IKE to perform XAUTH
authentication with a legitimate enterprise user
and performs RADIUS mutual authentication.
3IP Spoofing
Malicious user steals an used IP address or
sends a DHCP request to the AP, then attacks a
legitimate user on the same subnet.
VPN Concentrator
Legitimate User
Malicious User
4ARP Spoofing
Step 1 Legitimate user sends an ARP request,
which the AP broadcasts.
Step 2 Another legitimate user responds to the
ARP request.
Yes Im here! This is 10.1.1.1 and my MAC
address is 123456
VPN Concentrator
IPsec VPN
Hey 10.1.1.1, are you there?
Legitimate User
No, IM 10.1.1.1 and MY MAC address is
987654
Step 3 Malicious user eavesdrops on the ARP
request and responds after the legitimate user,
sending his malicious MAC address to the
originator of the request.
Step 4 Information for IP address 10.1.1.1 is
now being sent to malicious MAC address
987654.
Malicious User
5MAC Duplicating
Malicious user sniffs the air for MAC addresses
of currently-associated legitimate users and then
uses that MAC address to attack other users
associated to the same AP.
VPN Concentrator
Legitimate User
Malicious User
6Denial-of-Service
Malicious user floods the AP to deny service to
any legitimate user associated to that AP.
VPN Concentrator
Legitimate User
Malicious User
7When Connections Stray
Malicious user hijacks legitimate users
connection outside of the IPsec tunnel to access
the Internet.
VPN Concentrator
Legitimate User
Malicious User