Academic network security project developed for the Network and Cloud Security course at Politecnico di Torino.
The project studies common misconfigurations in site-to-site IPsec VPNs using reproducible GNS3 laboratory scenarios. It compares two authentication models, pre-shared key authentication and PKI-based authentication with X.509 certificates, and analyzes how configuration mistakes affect IKE negotiation, IPsec security associations, data-plane behavior, and overall security posture.
The goal is not only to identify broken VPN configurations, but also to understand whether a tunnel fails completely, stays up with weak security parameters, or appears operational while traffic is silently blocked.
- Final technical report: docs/IPsec_VPN_Misconfiguration_Lab_Report.pdf
- Project presentation: presentation/Network_and_Cloud_Security_Presentation.pptx
- GNS3 project files: gns3-projects/
- LaTeX report sources: report/
- Publication notes: PUBLICATION_NOTES.md
The lab covers:
- site-to-site IPsec VPN fundamentals;
- IKEv1 Phase 1 and Phase 2 negotiation;
- PSK-based authentication;
- PKI and X.509 certificate-based authentication;
- weak cipher and weak hash configurations;
- insufficient Diffie-Hellman group strength;
- legacy policy preference and downgrade-like behavior;
- tunnel traffic filtering after decryption;
- peer IP address mistyping;
- PSK mismatch;
- wildcard PSK configuration;
- expired certificate handling;
- disabled certificate revocation checks;
- troubleshooting with Cisco-style CLI outputs and Wireshark packet traces;
- remediation steps for each injected misconfiguration.
Each misconfiguration follows a consistent lab workflow:
- build or start from a known-good baseline;
- inject a specific configuration error;
- observe abnormal behavior in IKE, IPsec, or data-plane traffic;
- identify the root cause using device CLI and packet traces;
- apply a targeted fix;
- verify that the VPN returns to the expected secure state.
| Category | Scenario | Main impact |
|---|---|---|
| Common IPsec/IKE | Weak cipher DES | Tunnel works but confidentiality is weakened |
| Common IPsec/IKE | Weak hash MD5 | Tunnel works but integrity protection is weakened |
| Common IPsec/IKE | Diffie-Hellman group 1 | Tunnel works but key exchange strength is inadequate |
| Common IPsec/IKE | Legacy policy preference | Peers negotiate older or weaker security parameters |
| Network filtering | Tunnel traffic filtering | Control plane appears healthy but user traffic fails |
| Configuration error | Peer IP mistyping | IKE negotiation fails and IPsec SAs are not created |
| PSK-specific | PSK mismatch | Authentication fails and the tunnel does not establish |
| PSK-specific | Any-peer wildcard PSK | Peer identity binding is weakened |
| PKI-specific | Certificate expiry | Certificate validation fails and the tunnel cannot complete |
| PKI-specific | Disabled revocation check | A revoked certificate may still authenticate successfully |
.
|-- README.md
|-- PUBLICATION_NOTES.md
|-- docs/
| |-- IPsec_VPN_Misconfiguration_Lab_Report.pdf
|-- presentation/
| |-- Network_and_Cloud_Security_Presentation.pptx
|-- gns3-projects/
| |-- sanitized GNS3 project files and topology material
|-- report/
| |-- main.tex
| |-- references.bib
| |-- sections/
| |-- A-appendix-running-configs.tex
| |-- B-appendix-troubleshooting.tex
| |-- C-glossary.tex
|-- .gitignore
|-- .gitattributes
-
docs/IPsec_VPN_Misconfiguration_Lab_Report.pdf
Final technical report documenting the scenarios, findings, packet-level evidence, CLI outputs, risk analysis, and remediation steps. -
presentation/Network_and_Cloud_Security_Presentation.pptx
Project presentation summarizing the VPN misconfiguration scenarios, PSK and PKI comparison, detection logic, remediation steps, and conclusions. -
gns3-projects/
GNS3 project files and topology material used to reproduce the lab scenarios. Runtime images, appliance disks, private keys, and oversized files are intentionally excluded. -
report/
LaTeX source files used to build the report.
The project was developed using:
- GNS3 for network emulation;
- Cisco-style router and VPN gateway configurations;
- IPsec and IKEv1;
- PSK authentication;
- PKI authentication with X.509 certificates;
- Wireshark for packet analysis;
- vendor CLI commands for troubleshooting and verification;
- LaTeX for technical reporting.
This was a two-person academic project.
Authors:
- Alessio Falco, Student ID 339334
- Stefano Falco, Student ID 343739
My contribution focused on the design, analysis, documentation, and validation of site-to-site VPN misconfiguration scenarios, with attention to how each issue appears in configuration state, IKE/IPsec negotiation, packet traces, GNS3 lab behavior, and remediation workflow.
This project demonstrates practical experience in:
- network security;
- site-to-site VPN design and troubleshooting;
- IPsec and IKE analysis;
- PSK and PKI authentication models;
- cryptographic configuration hardening;
- Wireshark-based packet inspection;
- GNS3-based lab reproduction;
- technical documentation;
- security misconfiguration analysis;
- infrastructure security validation.
This repository is intended for educational and professional portfolio purposes.
Any secrets, keys, addresses, or credentials appearing in the project are laboratory-only values used in a simulated environment. They must not be reused in real systems.
The public repository intentionally excludes private key material, VM images, router images, appliance disks, and oversized runtime files.
The project does not target any real organization or production network.
No open-source license has been selected. Reuse, redistribution, or derivative works should be agreed with the project authors.