Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

hi i am seeking help with connecting to ipsec vpn
my vpn was working until i upgraded my macbook to High Sierra 10.13.14
now when i try to VPN i get this error "An unexpected error occurred, Try reconnecting if the problem continues verify the setting and contact your administrator"
i checked the ppp.log and the last date was May 8th with an error IPSec connection failed <IKE Error 65535 ()xFFFF) Unknown error>

nothing really is showing up in system.log when i try to connect to vpn

i have other MacBooks in my environment and they can connect via VPN, i reset the PR RAM and tried testing in verbose mode but stll same result

any help would be great-fully appreciated
OWASP: Forgery and Phishing
LVL 13
OWASP: Forgery and Phishing

Learn the techniques to avoid forgery and phishing attacks and the types of attacks an application or network may face.

I have a Fortigate 80D firewall, with FortiOS version 6.2.0, lately upgraded. The user remote access was configured using IPsec VPN, and handled by Forticlient. In previous versions, it was working without any problem. But now, users can connect, but can no more access network resources.
The only thing that was performed, was enabling IPv4 Split Tunnel.
I wonder what i can do to re-establish a correct connection using FortiClient
Thanks for help
I have a simple setup... I have enabled the draytek L2TP with IPsec VPN which works fine.

I have a server on site which i access using \\IP-MAINSERVER
The issue is that when I am off site and I VPN in, I cant access the server using \\IP-MAINSERVER, I have to use the IP address.

Why is this?
I would like to know your opinion on the following questions:
1)    What are the contras of the CVSS Scoring System, compared to many other systems?
2)    Where did you hit limits while working with CVSS Scoring System?
3)    What must be considered in which scenarios?

Thanks a lot for your feedback.
Hi Guys,

We have recently setup a 3 way VPN. one HQ and 2 Branches. 2 sites are configured with NBN and fibre 400. One site is with ADSL2+. IPsec VPN between NBN site and Fibre400 is working fine. But, the ADSL2+ site is showing that the VPN is configured and online but, not able to ping any IP either way. Any idea why?


In an ISR at a client, they have a Cisco ISR with a VPN tunnel to a business partner. What I'm wondering is why they might have two peers
in sequence number 10 and one peer (which also appears in sequence 10) in the second sequence number. The original setter upper is
long gone. Is SEQ 10 saying try to connect to but if you can't, connect to If that's the case, why would there
be a need for a SEQ 20 which then again references Any thoughts on what the original intent was are appreciated. I would
think you'd just want one peer in sequence 10 and then one peer in sequence 20. ?

crypto map ACMEDYNO 10 ipsec-isakmp
 set peer
 set peer
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-LA
crypto map ACMEDYNO 20 ipsec-isakmp
 set peer
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-DL


I have 2 cisco routers which I am having problems VPNing between.

RV340W, firmware
IPSec Profiles
keying mode auto
ike version 1

Phose 1
DH Group 2 - 1024 bit
Encryption 3DES
Auth SHA1
SA lifetime 28800

Phase 2
Protocol Selection ESP
Encryption 3DES
Auth SHA1
SA Lifetime 28800
PFS enabled
DH Group 2 - 1024 bit

Site to Site
IPSec Profile - points to above settings
int WAN1
Remote endpoint Static IP
remote IP entered

Remote IKE Auth Method
Pre-shared key, complexity disabled, 14 digit key enterd

Local Group Setup
Local Intendifier type - Local WAN  IP
Local ID - Local IP Address
Local IP Type - Subnet
IP address - *.*.*.0 (local subnet)
Subnet mask -

Remote Group Setup
Remote ID TYpe - Remote WAN IP
Remote ID - remote IP address
Remote IP Type - subnet
IP Address - *.*.*.0 (remote subnet IP)
subnet mask

2nd routers

Cisco RV180W

IKE Policy
Direction/type - both
exchange mode - main

ID Type - Local WAN IP

ID Type - Remote WAN IP

IKE SA Parameters
Encryption algorithm 3DES
Auth Algorithm SHA1
Auth method  Pre Shared key
Pre shared key entered
DH Group 2 1024 bit
SA Lifetime 28800
Dead Peer Detection enabled
det period 10
reconnect after 3

Extended auth

VPN Policy

Policy type - auto
remote endpoint - ip address
remote ip entered
NetBIOS enabled

Local Traffice selection
local ip subnet
start address - …
In an environment in which two Smoothwalls are deployed, they are connected through an IPSec tunnel and all ports are open.  One separate Windows domain are deployed behind each Smoothwall for a total of 2 Domains.  A Domain trust has been established between the two domains and they say they are functioning fine, but users can't log into their AD accounts if they are behind the Smoothwall of the second Domain.  Functioning level is Windows Server 2003 it says and these are Windows Server 2008 R2 Domain controllers.  Does this trust need to be reestablished and functioning level raised?
Relationship between OWIN and OATH?

How do they relate?

Token Based Authentication and the .NET Stack

What can you tell me about the built-in capabilities of .NET Stack to use Token Based Authentication  and also Token Based Authentication in general??
Exploring SQL Server 2016: Fundamentals
LVL 13
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

After upgrading ASA5520 (Main office) and ASA5505 (Remote office) from 8.2 to 8.4 (and attempting to re-learn NAT) the site to site VPN is no longer passing traffic. The IPSec tunnel is up. Fairly sure it have something to do with the changes in 8.2-8.4 but not sure what. Main office is on its own dedicated fiber DIA and remote office is on cable modem (bridged) with static IP.

Here is a parsed config showing the relevant bits from the remote office side:

ASA Version 8.4(3) 
interface Vlan1
 nameif outside
 security-level 0
 ip address dhcp setroute 
interface Vlan10
 nameif inside
 security-level 100
 ip address 
object network NAT-Inside
object network Main-Office
object network Remote-Office
access-list outside_cryptomap extended permit ip object Remote-Office object Main-Office 
nat (inside,outside) source static Remote-Office Remote-Office destination static Main-Office Main-Office no-proxy-arp route-lookup
object network NAT-Inside
 nat (inside,outside) dynamic interface
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 

Open in new window

Have anyone used Colortokens
what do the do exactly and what do they do for data center and endpoint security?
Updating my domain (on GoDaddy) to NOT point to my site

I guess I have two options, point it to a broken IP address, at which point GoDaddy will display a "URL not found" type of error.

Another is to point at their default "Coming Soon" website.

I think I prefer the broken URL option.

How do I make my domain to point to nothing?

Digital Certificates have been a mystery to me.  I am starting to understand them better with more exposure to them; but....

 I want to understand how I can associate w Domain name for my work's Wireless Controller ( with the new Wireless controller?  Right now my manager uploaded something to the Wireless controller so I can type and arrive to the Wireless controller's administrator web page.

The same wireless controller provides a captive portal for Guest WiFi.  The Guest WiFi web portal currently shows https://Controller_IP_Address/cgi...welcome?  I would like to have the Domain_Name = Wlan/    show up in the web address instead of the Controller's IP address.

How can we make this happen?  I think we have a digital certificate; but, I think it is something that we created at the company.
Example of Web Tokens

I am sure I have worked with these, but please give an overview.

Also, it would great if you could also include a .NET perspective

Can fortinet firewalls (50d) be setup to monitor an ipsec vpn connection and switch to another if one is down?
Using ADFS 3.0 additional authentication rules would the following be possible to create a rule that would do the following.

If OS = Android
And = IP address range is like 192.168.x.x as an example
Force Forms Authentication

If a device does not make this rule is would proceed with the normal Windows Integrated Authentication
is there a proper way to establish connectivity between remote offices that are connected by VPN (SW SOHO) to the main branch that is using Sonicwalll NSA 2400. Each remote office has connectivity to the main branch, but need each remote office connectivity with each remote office via VPN.
I have about two dozen remote sites that I need to create VPN tunnel.  I have Checkpoint FW cluster here.  The 23 remote sites either have Cisco, Forcepoint, Palo Alto or Juniper firewalls.  Using IPSEC, I need a good plan for setting up individual tunnels to these disparate sites.  I have a general understanding of IPSEC but not the specifics for configuring each firewall.

Can you point me to good literature, or links, or video media that helps me lay out a plan for gathering all the information needed for/from each customer to roll out these VPNs?
Introduction to Web Design
LVL 13
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

WordPress site getting SPAMMED, not sure how to stop it.

My website,

has a Download button, and when you fill your Name and Email, then click the button, you get an email with the URL to my book's Preface and Chapter 1. Also, I get an email to my "info@" email's inbox with the name and email of the person requesting the downloading.

I am getting spammed there, by some sort of robot, and do not know how to stop it.

This started yesterday morning, and continued every few minutes, non-stop. I even added a CAPTA requirements this morning, but that had no impact.

How do I stop this SPAM?

How does password reset works in international locations with MFA.  Here in US I can input a phone number in AD Mobile field. example +1-415-111-1111
Then it sends a code to the phone and you confirm.  Would it work with international locations?  Example China +86-180-1111-1111
how I can know the imo and botim server block so I can blocked under my firewall ?
I have multiple sites on my internal network all connected with IPSec tunnels.   Each site has a Windows domain controller.  In addition to the domain controller, each site also has a NAS which serves as a file server.   My issue is this.    I want to publish a specific DNS name within one of the internal zones.   Assign each site a version of this name that points to the local NAS device.      I have all the IP information defined in sites and services.   When I have the DNS name something like I want the systems to return the IP of the local device.  What I'm seeing is from corporate, when I reference the device I'm getting random responses from across all of the offices.    
  Is there a way to make DNS prefer IP's on the site I sit on instead of round robin looking through the list of available servers?
Hi guys

As part of the last question I asked about firewall rules, I am looking at our firewall right now and monitoring the traffic. I'm looking at the traffic between VPN connections from our stores to a main server. These stores are all using the same application to communicate with the server. However, I'm looking at the server and it is receiving connections from our various stores, but every single store is communicating via a different port. So one store will be coming through port 4274. The other one will send it via port 4288. My point is, are applications specifically written in this way to prevent security breaches from happening by constantly randomising their port sequences so that they can't be 'guessed' by a malicious attacker?

And if that is the case, surely going back to the answers being given previously, this does warrant the ability for the 'ANY' ports to be open from site A to site B via VPN.

Thank you
I have a watchguard M270, the customer has a hosted server they connect to via ipsec. What policy could I enable to allow the ipsec vpn outbound.

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security