Penetration Testing IPSec VPN (Virtual Private Network)


In this article we are going to discuss Penetration Testing IPSec VPN (Virtual Private Network). VPN provide secure (encrypted) communications between remote locations or users within the same network through internet. Basically there are two types of VPNs: IPSec VPN and SSL VPN. IPSec is widely used protocol to establish secure connections between networks and connect hosts in virtual private networks.

Within IPSec VPN, there are many subsidiary protocols are responsible to perform specific tasks or functions, I have described them below:

  1. Authentication Header (AH): The function of AH is to provide proof of origin for IP packets, protecting them against replay attacks.
  2. Encapsulation Security Protocol (ESP): Task of ESP is to provide the origin authenticity, integrity, and confidentiality of the transmitted data.
  3. Security Association (SA): Basically SA is the set of algorithms which is used to encrypt and authenticate the transmitted data. Because SA is associated with data transmission in one direction, two-way communications are secured by a pair of security associations. Security associations are established using Internet Security Association and Key Management Protocol (ISAKMP), this can be applied through many ways. When testing the security of VPN (Penetration Testing IPSec VPN), one of the most vulnerable configurations relies on preshared secrets, Internet Key Exchange (IKE).

To assess the security of VPN (Penetration Testing IPSec VPN), Penetration testers should follow the following basic steps:

  1. Scanning VPN gateways.
  2. Fingerprinting VPN gateways (determine vendor and configuration details).
  3. Finding vulnerabilities associated with the VPN vendor or related products.
  4. Capturing preshared keys.
  5. PSK cracking (offline).
  6. Checking for default user accounts.

1Scanning for VPN gateways – Penetration Testing IPSec VPN

To scan for the presence of VPN gateways, use nmap or ike-scan. To use nmap, issue the following command:
[email protected]@:~# nmap -sU -Pn -p 500 <IP Address>

Explaining the above command,

  • -sU forces nmap to scan the host range for possible targets using UDP packets (instead of TCP),.
  • -Pn ensures that nmap will not send a ping scan (which can alert the target about the scan and identify the tester).
  • -p 500 identifies the specific port to be scanned.

We all know the power of Nmap tool the most effective tool is the one that sends a correctly formatted IKE packet to the target system and displays the returned message but this tool does not locate all VPN gateways due to how it handles the IKE packets.

The best tool to locate a VPN gateway is ike-scan which can be found by navigating to Kali Linux | Information Gathering | ike-scan (might be preinstalled in Parrot OS). This command-line tool uses the IKE protocol to discover and fingerprint private networks. It also supports preshared key cracking in the IKE aggressive mode. To use ike-scan to locate targets, issue the following command:
[email protected]@:~# ike-scan -M <Target IP>
The execution of the above command is shown in the following screenshot:

  • 0 returned handshake; 0 returned notify: This indicates that the target is not an IPSec gateway.
  • 0 returned handshake; 1 returned notify: This indicates that although a VPN gateway is present, none of the transforms provided to it by ike-scan are acceptable.
  • 1 returned handshake; 0 returned notify: As shown in the previous screenshot, this indicates that the target is configured for IPSec and will perform an IKE negotiation against one or more of the transforms that have been provided to it.


Please enter your comment!
Please enter your name here