Skip to content

StefanoFalco/IPsec-VPN-Misconfiguration-Lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

IPsec Site-to-Site VPN Misconfiguration Lab

Academic network security project developed for the Network and Cloud Security course at Politecnico di Torino.

The project studies common misconfigurations in site-to-site IPsec VPNs using reproducible GNS3 laboratory scenarios. It compares two authentication models, pre-shared key authentication and PKI-based authentication with X.509 certificates, and analyzes how configuration mistakes affect IKE negotiation, IPsec security associations, data-plane behavior, and overall security posture.

The goal is not only to identify broken VPN configurations, but also to understand whether a tunnel fails completely, stays up with weak security parameters, or appears operational while traffic is silently blocked.

Quick access

  • Final technical report: docs/IPsec_VPN_Misconfiguration_Lab_Report.pdf
  • Project presentation: presentation/Network_and_Cloud_Security_Presentation.pptx
  • GNS3 project files: gns3-projects/
  • LaTeX report sources: report/
  • Publication notes: PUBLICATION_NOTES.md

Project scope

The lab covers:

  • site-to-site IPsec VPN fundamentals;
  • IKEv1 Phase 1 and Phase 2 negotiation;
  • PSK-based authentication;
  • PKI and X.509 certificate-based authentication;
  • weak cipher and weak hash configurations;
  • insufficient Diffie-Hellman group strength;
  • legacy policy preference and downgrade-like behavior;
  • tunnel traffic filtering after decryption;
  • peer IP address mistyping;
  • PSK mismatch;
  • wildcard PSK configuration;
  • expired certificate handling;
  • disabled certificate revocation checks;
  • troubleshooting with Cisco-style CLI outputs and Wireshark packet traces;
  • remediation steps for each injected misconfiguration.

Methodology

Each misconfiguration follows a consistent lab workflow:

  1. build or start from a known-good baseline;
  2. inject a specific configuration error;
  3. observe abnormal behavior in IKE, IPsec, or data-plane traffic;
  4. identify the root cause using device CLI and packet traces;
  5. apply a targeted fix;
  6. verify that the VPN returns to the expected secure state.

Misconfigurations analyzed

Category Scenario Main impact
Common IPsec/IKE Weak cipher DES Tunnel works but confidentiality is weakened
Common IPsec/IKE Weak hash MD5 Tunnel works but integrity protection is weakened
Common IPsec/IKE Diffie-Hellman group 1 Tunnel works but key exchange strength is inadequate
Common IPsec/IKE Legacy policy preference Peers negotiate older or weaker security parameters
Network filtering Tunnel traffic filtering Control plane appears healthy but user traffic fails
Configuration error Peer IP mistyping IKE negotiation fails and IPsec SAs are not created
PSK-specific PSK mismatch Authentication fails and the tunnel does not establish
PSK-specific Any-peer wildcard PSK Peer identity binding is weakened
PKI-specific Certificate expiry Certificate validation fails and the tunnel cannot complete
PKI-specific Disabled revocation check A revoked certificate may still authenticate successfully

Repository structure

.
|-- README.md
|-- PUBLICATION_NOTES.md
|-- docs/
|   |-- IPsec_VPN_Misconfiguration_Lab_Report.pdf
|-- presentation/
|   |-- Network_and_Cloud_Security_Presentation.pptx
|-- gns3-projects/
|   |-- sanitized GNS3 project files and topology material
|-- report/
|   |-- main.tex
|   |-- references.bib
|   |-- sections/
|   |-- A-appendix-running-configs.tex
|   |-- B-appendix-troubleshooting.tex
|   |-- C-glossary.tex
|-- .gitignore
|-- .gitattributes

Main deliverables

  • docs/IPsec_VPN_Misconfiguration_Lab_Report.pdf
    Final technical report documenting the scenarios, findings, packet-level evidence, CLI outputs, risk analysis, and remediation steps.

  • presentation/Network_and_Cloud_Security_Presentation.pptx
    Project presentation summarizing the VPN misconfiguration scenarios, PSK and PKI comparison, detection logic, remediation steps, and conclusions.

  • gns3-projects/
    GNS3 project files and topology material used to reproduce the lab scenarios. Runtime images, appliance disks, private keys, and oversized files are intentionally excluded.

  • report/
    LaTeX source files used to build the report.

Tools and environment

The project was developed using:

  • GNS3 for network emulation;
  • Cisco-style router and VPN gateway configurations;
  • IPsec and IKEv1;
  • PSK authentication;
  • PKI authentication with X.509 certificates;
  • Wireshark for packet analysis;
  • vendor CLI commands for troubleshooting and verification;
  • LaTeX for technical reporting.

My contribution

This was a two-person academic project.

Authors:

  • Alessio Falco, Student ID 339334
  • Stefano Falco, Student ID 343739

My contribution focused on the design, analysis, documentation, and validation of site-to-site VPN misconfiguration scenarios, with attention to how each issue appears in configuration state, IKE/IPsec negotiation, packet traces, GNS3 lab behavior, and remediation workflow.

Skills demonstrated

This project demonstrates practical experience in:

  • network security;
  • site-to-site VPN design and troubleshooting;
  • IPsec and IKE analysis;
  • PSK and PKI authentication models;
  • cryptographic configuration hardening;
  • Wireshark-based packet inspection;
  • GNS3-based lab reproduction;
  • technical documentation;
  • security misconfiguration analysis;
  • infrastructure security validation.

Security and publication note

This repository is intended for educational and professional portfolio purposes.

Any secrets, keys, addresses, or credentials appearing in the project are laboratory-only values used in a simulated environment. They must not be reused in real systems.

The public repository intentionally excludes private key material, VM images, router images, appliance disks, and oversized runtime files.

The project does not target any real organization or production network.

License

No open-source license has been selected. Reuse, redistribution, or derivative works should be agreed with the project authors.

About

GNS3-based IPsec site-to-site VPN misconfiguration lab covering PSK, PKI, IKEv1, weak crypto, wildcard PSKs, certificate lifecycle issues, Wireshark evidence and remediation.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages