Editing IPsec (section)

==Alleged NSA interference==
In 2013, as part of  [[Global surveillance disclosures (2013–present)|Snowden leaks]], it was revealed that the US [[National Security Agency]] had been actively working to "Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the [[Bullrun (code name)|Bullrun]] program.<ref>{{cite news|url=https://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html|newspaper=New York Times|title=Secret Documents Reveal N.S.A. Campaign Against Encryption}}</ref> There are allegations that IPsec was a targeted encryption system.<ref name="gilmore_bullrun">{{cite web|url=http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html|title=Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"|author=John Gilmore}}</ref>

The OpenBSD IPsec stack came later on and also was widely copied.  In a letter which [[OpenBSD]] lead developer [[Theo de Raadt]] received on 11 Dec 2010 from Gregory Perry, it is alleged that Jason Wright and others, working for the FBI, inserted "a number of [[Backdoor (computing)|backdoor]]s and [[side channel]] key leaking mechanisms" into the OpenBSD crypto code. In the forwarded email from 2010, Theo de Raadt did not at first express an official position on the validity of the claims, apart from the implicit endorsement from forwarding the email.<ref>{{cite web|url=http://marc.info/?l=openbsd-tech&m=129236621626462&w=2|title=Allegations regarding OpenBSD IPSEC|author=Theo de Raadt}}</ref> Jason Wright's response to the allegations: "Every urban legend is made more real by the inclusion of real names, dates, and times. Gregory Perry's email falls into this category. ... I will state clearly that I did not add backdoors to the OpenBSD operating system or the [[OpenBSD Cryptographic Framework]] (OCF)."<ref>{{cite web|url=http://marc.info/?l=openbsd-tech&m=129244045916861&w=2|title=Allegations regarding OpenBSD IPSEC|author=Jason Wright}}</ref> Some days later, de Raadt commented that "I believe that NETSEC was probably contracted to write backdoors as alleged. ... If those were written, I don't believe they made it into our tree."<ref>{{cite web|url=https://lwn.net/Articles/420858/|title=Update on the OpenBSD IPSEC backdoor allegation|author=Theo de Raadt}}</ref> This was published before the Snowden leaks.

An alternative explanation put forward by the authors of the [[Logjam (computer security)|Logjam attack]] suggests that the NSA compromised IPsec VPNs by undermining the [[Diffie-Hellman]] algorithm used in the key exchange.  In their paper,<ref name="weakdh">{{Cite book|chapter-url=https://doi.org/10.1145/2810103.2813707|doi=10.1145/2810103.2813707|chapter=Imperfect Forward Secrecy|title=Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security|year=2015|last1=Adrian|first1=David|last2=Bhargavan|first2=Karthikeyan|last3=Durumeric|first3=Zakir|last4=Gaudry|first4=Pierrick|last5=Green|first5=Matthew|last6=Halderman|first6=J. Alex|last7=Heninger|first7=Nadia|last8=Springall|first8=Drew|last9=Thomé|first9=Emmanuel|last10=Valenta|first10=Luke|last11=Vandersloot|first11=Benjamin|last12=Wustrow|first12=Eric|last13=Zanella-Béguelin|first13=Santiago|last14=Zimmermann|first14=Paul|pages=5–17|isbn=9781450338325|s2cid=347988}}</ref> they allege the NSA specially built a computing cluster to precompute multiplicative subgroups for specific primes and generators, such as for the second Oakley group defined in RFC 2409.  As of May 2015, 90% of addressable IPsec VPNs supported the second Oakley group as part of IKE.  If an organization were to precompute this group, they could derive the keys being exchanged and decrypt traffic without inserting any software backdoors.

A second alternative explanation that was put forward was that the [[Equation Group]] used [[Zero-day (computing)|zero-day exploits]] against several manufacturers' VPN equipment which were validated by [[Kaspersky Lab]] as being tied to the Equation Group<ref>{{Cite news | url = https://arstechnica.com/security/2016/08/code-dumped-online-came-from-omnipotent-nsa-tied-hacking-group/ | title = Confirmed: hacking tool leak came from "omnipotent" NSA-tied group | first = Dan | last = Goodin | date = August 16, 2016 | access-date = August 19, 2016 | newspaper = Ars Technica}}</ref> and validated by those manufacturers as being real exploits, some of which were zero-day exploits at the time of their exposure.<ref>{{Cite news | url = https://www.theregister.co.uk/2016/08/17/cisco_two_shadow_brokers_vulnerabilities_real/ | first = Iain | last = Thomson | title = Cisco confirms two of the Shadow Brokers' 'NSA' vulns are real | date = August 17, 2016 | access-date = September 16, 2016 | newspaper = [[The Register]]}}</ref><ref>{{Cite news | title = Equation Group exploit hits newer Cisco ASA, Juniper Netscreen | url = https://www.theregister.co.uk/2016/08/24/equation_group_exploit_expanded_to_target_cisco_924_asa_boxes/ | first = Darren | last = Pauli | date = August 24, 2016 | access-date=September 16, 2016 | newspaper = [[The Register]]}}</ref><ref>{{Cite news | url = https://www.theregister.co.uk/2016/08/18/fortinet_follows_cisco_in_confirming_shadow_broker_vuln/ | title = Fortinet follows Cisco in confirming Shadow Broker vuln | first = Richard | last = Chirgwin | newspaper = [[The Register]] | date = August 18, 2016 | access-date = September 16, 2016}}</ref> The [[Cisco PIX#Security vulnerabilities|Cisco PIX and ASA]] firewalls had vulnerabilities that were used for wiretapping by the NSA{{citation needed|date=April 2020}}.

Furthermore, IPsec VPNs using "Aggressive Mode" settings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline [[dictionary attack]]s.<ref name="weakdh"/><ref>{{Cite web|url=https://crypto.stackexchange.com/questions/27404/what-are-the-problems-of-ikev1-aggressive-mode-compared-to-ikev1-main-mode-or-i|title=key exchange - What are the problems of IKEv1 aggressive mode (compared to IKEv1 main mode or IKEv2)?|website=Cryptography Stack Exchange}}</ref><ref>{{Cite web|url=https://nohats.ca/wordpress/blog/2014/12/29/dont-stop-using-ipsec-just-yet/|title=Don't stop using IPsec just yet|author=|website=No Hats|date=December 29, 2014}}</ref>