This session will detail a methodology by which security professionals may independently examine the security of a VPN. We will cover basic concepts of key exchange and management, leading into a description of good and bad ways by which the two ends of a VPN connection arrive at the necessary shared secret. We will discuss common mistakes such as improper random seeding or key exchange, and step through a checklist of things to check. Finally, we will apply this methodology before the audience in the testing of a running VPN system, and demonstrate two vulnerabilities that exist.