L2TP/IPSEC question

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

L2TP/IPSEC question

Postposted on Thu May 29, 2014 6:07 pm

Just got started in VPN, and messing around with L2TP since it's widely supported. In PSK mode, all parties authenticate via a shared secret key. What would prevent a man in the middle attack by spoofing the VPN gateway if the spoofer also has an account on the gateway? And how much damage could be done if the PSK was leaked?
seeker010
Gerbil First Class
 
Posts: 123
Joined: Sat Oct 19, 2002 8:52 am

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 6:18 pm

seeker010 wrote:Just got started in VPN, and messing around with L2TP since it's widely supported. In PSK mode, all parties authenticate via a shared secret key. What would prevent a man in the middle attack by spoofing the VPN gateway if the spoofer also has an account on the gateway? And how much damage could be done if the PSK was leaked?



If your PSK is leaked, you need to change it STAT.

as far as man in the middle attacks, are you talking about someone spoofing the gateway VIA the gateway, or like a switch in between you and the gateway?
Hz so good
Gerbil Elite
 
Posts: 601
Joined: Wed Dec 04, 2013 5:08 pm

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 7:43 pm

I'm talking about this man in the middle attack

me l2tp/ipsec encrypt -> decrypt spoofer re-encrypt -> decrypt vpn gateway
seeker010
Gerbil First Class
 
Posts: 123
Joined: Sat Oct 19, 2002 8:52 am

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 7:56 pm

seeker010 wrote:I'm talking about this man in the middle attack

me l2tp/ipsec encrypt -> decrypt spoofer re-encrypt -> decrypt vpn gateway



Oh,ok. Like somebody poisoned the ARP cache, or they overloaded the CAM and the switch started acting like a hub, letting the bad guy packet capture to his hearts content?

In theory, as long as the PSK was never transmitted in cleartext, it would be resistant to that type of attack. In theory.
Hz so good
Gerbil Elite
 
Posts: 601
Joined: Wed Dec 04, 2013 5:08 pm

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 7:59 pm

seeker010 wrote:I'm talking about this man in the middle attack

me l2tp/ipsec encrypt -> decrypt spoofer re-encrypt -> decrypt vpn gateway



Speaking of gateways, which model are we talking about here? Different appliances can have different options. Juniper, Cisco, RouterOS?
Hz so good
Gerbil Elite
 
Posts: 601
Joined: Wed Dec 04, 2013 5:08 pm

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 8:14 pm

Geez, sorry about the triple post, but how to you authenticate to the VPN gateway? Certificate? login via a Radius or TACACS+ server?
Hz so good
Gerbil Elite
 
Posts: 601
Joined: Wed Dec 04, 2013 5:08 pm

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 8:33 pm

I'm doing this real high end. I'm trying out different vpn options on my windows 2012 box, but using sstp for my rt tablet, so authenticating via windows login and MS-CHAP v2 I assume. Was trying to connect an ipad so had to set up l2tp psk. reminded me of some VPN providers that provide L2TP/IPSEC with a known shared PSK so wanted to ask.

so if the PSK is known someone who can authentic on the VPN gateway could theoretically hijack the packets and decrypt'/re-encrypt
seeker010
Gerbil First Class
 
Posts: 123
Joined: Sat Oct 19, 2002 8:52 am

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 8:40 pm

MS-CHAP is not secure and should not be used without EAP-TLS or PEAP.

https://www.cloudcracker.com/blog/2012/ ... s-chap-v2/

Edit: And yes, PSK as a method in IPsec is no different a concept than PSK in WPA. If you know the PSK then you have the keys to begin the process to engage in an eavesdropping attack. Intercepting the PSK would also allow for a brute force attack to reveal the PSK (just like WPA).

http://graland-security.blogspot.com/20 ... e-can.html
"Welcome back my friends to the show that never ends. We're so glad you could attend. Come inside! Come inside!"
Ryu Connor
Global Moderator
Gold subscriber
 
 
Posts: 3543
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 8:46 pm

seeker010 wrote:I'm doing this real high end. I'm trying out different vpn options on my windows 2012 box, but using sstp for my rt tablet, so authenticating via windows login and MS-CHAP v2 I assume. Was trying to connect an ipad so had to set up l2tp psk. reminded me of some VPN providers that provide L2TP/IPSEC with a known shared PSK so wanted to ask.

so if the PSK is known someone who can authentic on the VPN gateway could theoretically hijack the packets and decrypt'/re-encrypt



L2TP/IPSEC VPNs tend to be resistant to MITM attacks, since data-origination and data integrity are part of the spec. With that said, you really SHOULDN'T use PSK. It's just a risk. The question is whether it's an acceptable risk to you. Sometimes ease of use can trump security measures.
Hz so good
Gerbil Elite
 
Posts: 601
Joined: Wed Dec 04, 2013 5:08 pm

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 9:04 pm

I set up an OpenVPN on my router[0] last week so I could have a secure connection over public wireless for a trip. Worked really well once I understood how to set the clients and servers up properly & got the filesets copied to each client. It's higher-level than IPSec, being TLS-based, but it's reasonably easy to authenticate with just a set of certificates & keys or with those and a password, no PSK needed[1], and there are free-as-in-beer clients for many platforms.

It was a pain to set up, though, or rather to find a guide that made sense... also needed to download the easy-rsa package and OpenSSL separately (for cert/key generation) since OpenVPN no longer includes them.

[0] It runs Shibby's mod of Tomato Firmware.

[1] unless you want to set up extra HMAC authorization, which basically signs each packet with a PSK on top of the TLS authentication. You probably want to; enabling that blocks Heartbleed, for instance, because any client without that PSK is immediately ignored.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3168
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: L2TP/IPSEC question

Postposted on Thu May 29, 2014 9:38 pm

bthylafh wrote:I set up an OpenVPN on my router[0] last week so I could have a secure connection over public wireless for a trip. Worked really well once I understood how to set the clients and servers up properly & got the filesets copied to each client. It's higher-level than IPSec, being TLS-based, but it's reasonably easy to authenticate with just a set of certificates & keys or with those and a password, no PSK needed[1], and there are free-as-in-beer clients for many platforms.

It was a pain to set up, though, or rather to find a guide that made sense... also needed to download the easy-rsa package and OpenSSL separately (for cert/key generation) since OpenVPN no longer includes them.

[0] It runs Shibby's mod of Tomato Firmware.

[1] unless you want to set up extra HMAC authorization, which basically signs each packet with a PSK on top of the TLS authentication. You probably want to; enabling that blocks Heartbleed, for instance, because any client without that PSK is immediately ignored.


Features like that are awesome. I love port authorization, ip source guard, et al. "You ain't on the list, pal. *CLICK*"
Hz so good
Gerbil Elite
 
Posts: 601
Joined: Wed Dec 04, 2013 5:08 pm


Return to General Software

Who is online

Users browsing this forum: No registered users and 3 guests