Go Premium for a chance to win a PS4. Enter to Win

x

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have multiple branches and sites that are connected to main Data Centre. As for now the WAN is protected (traffic is encrypted via IPSec). Objective: I want to make sure that all traffic when it leave the host is also encrypted. There should be no gap (un-encrypted data in motion) regardless within the LAN or WAN.
The concerns from the network engineer, is that if we implement Host to Host IPSec, it will be a tunnel within tunnel. It will decrease network performance.
How do we ensure all the traffic are encrypted? Any other available solutions?
0
New Tabletop Appliances Blow Competitors Away!
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group …
0
This applies to TLS as well ass IPSec.

The purpose of the Diffie Hellman key exchange is to agree on a shared secret without sending it on the wire. I have always believed that every DH-session is unique with random large primes. Is DH using the same numbers every time when conneting to the same peer/device/server?

The reason for my question is that I read that PFS (Perfect Forward Secrecy) is being used on top of DH to make sure that the key is unique for every session.

Why PFS when we have DH? Does not compute. :)
0
I have a load balancer with a public VIP. The partner can only get the site if they ignore that they perceive the site as unsafe.
I’m fairly the certain my very is valid because other VIPs use it. What are some reasons a client might not trust the cert? Brain storming question.
0
My issue is we set some cookies, using JS, with a 1 year expiration and that particular cookie didn't have the secure flag set. We now want to update the cookies to have the secure flag set. The code that creates the cookies now has the "secure" attribute and all new cookies have the "secure" flag. The issue is how do I update existing cookies? I'm assuming I have to destroy the cookie and then recreate it with the secure flag set? I don't know if there is any other way to do this? Also is there a way using JavaScript to detect if the cookie does have the flag set before deleting it?

Thanks!
0
Visited a client site and ran various ‘my ip address’ site to determine what is the External IP address the provider assigned.  Noticed that each device resulted a different value.  For example their phone and their tablet gave different values where that last segment changed (xxx.xxx.xxx.19 and xxx.xxx.xxx.20), yet when we ran myipaddress in our device gave a whole different value in all segments.

We understand that the internet provider assign the cable modem or location a single dynamic external ip.  The location router managed a total different internal ip sequence values and assigns it to each device connecting to the wifi or router within the location.  Thus the cable modem has 1 IP address and the devices within the location has different ip address.

Why would the “my IP address” website display different IP address in all devices connected to the same wifi?
0
4
My son's computer keeps having internet connection issues.

-Is playing on a minecract server / minecraft client

Sometimes these apps are also open
-Twitch
-Discord

He is playing on a minecraft server.  and begins to experience lag more and more frequently before the crash.
Is there any way to track down the culprit?  We could assume that it is not enough RAM and go buy more RAM and the problem happens again and we are no better off.

I am looking for a way to gather information that can help tells us what thing( s ) is causing the problem(  s  )

sys info 2systxt.txt
0
I have a main office running OpenVPN on Untangle v9.4 (I know, but they don't want to spend the money to upgrade and reconnect all of the offices) The remote offices are all on different subnets, and I have no problem reaching the main office by IP address or hostname from the remote office computers. From the main office, I am unable to ping or communicate with any of the remote offices. There are no issues with the main office connecting to the internet, but I am unable to communicate with the connected networks. The OpenVPN connectivity at each office is using a Ubiquiti Edgerouter-X with the config file imported and I use my laptop to support the various offices via a software client OpenVPN connection. When I connect to the OpenVPN server at the main office using my laptop, I am able to ping, use RDP, whatever, I can even use NSLOOKUP from the DC in the main office as the server and get the IP Addresses for the systems in the remote offices. Trying to run a tracert from the cli on the DC server in the main office gives me a first hop that is the LAN address of the Untangle box, but times out on every other hop. This looks like a route issue to me, but I haven't been able to add a static route in any form that allows me to communicate with the remote networks. Help!
0
Hello,

Our messaging system shows a few unuaual user login from Lkorodu, Lagos in Nigeria.  

Is there any good website or is it possible to list networks being used by Lkorodu, Lagos instead of the entire Nigeria?

Please advise.
0
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

hi everyone,

I have facing problems to configuration my domain. users internet permission I have used hosts files but not enough for me what is suitable thing for configuration of URLs

what about firewalls what is the best firewall for filtering the URLs ...


looking forward for reply urgent..


thanks
Asad
IT student
0
Hi, I connected two asa5505 with a crossover cable to learn site2site vpn, I have these configures for both but it just not working, there are no activities on the outside interfaces. I have tested each asa5505 connected to my home LAN with internet access to make sure the interfaces are working. Thanks!


ASA Version 8.2(5)
!
hostname asa-a
domain-name asa-a.domain
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.1.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name asa-a.domain
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn …
0
Hello
We have an IPSec VPN solution for a small number of sites.  Our users remote into two of the sites via IPSec VPN too.
We are going to move supplier and looking at moving from IPSec to MPLS.  We will look to migrate to AWS and/or move CRM out to other providers.  We also will moving from our on prem phone system to a cloud solution.
Has anyone got any recomendation around security, perfornance, limitation etc of each?
Thanks
0
Hi all,

I needassistance in deploying some config changes on a ikev2 site to site ipsec VPN on a cisco router. The VPN is currently setup with ipv4 addresses. i.e. peer ip and identity addresses are ipv4. I have been requested to change the remote ipv4 peer ip for a fqdn i.e. ipsec.abc.com. Should I just change the remote ip for the fqdn where ever it pops up? Or are there any other changes that need to me made in order to support this change. On my side we will continue to use ipv4 address.
If you have a template I can follow, that would be awesome.
Thanks and kind regards.
0
Hi

I'm trying to establish ITSec VPN for my firewall with another vendor in remote site.

The tunnel is not getting UP. The remote vendor says they allowed UDP port 500 and 4500.

But I suspect there is some issue at their end on opening ports above.

1. How do I confirm the udp ports 500 and 4500 is opened above ? I tried using portquiry and it seems not accurate.
It says port is opened for any port I scan. How do I verify port 500 or 4500 is opened or closed at their end ?

2. Another thing is when VPN not getting UP, I want to run some debug in Cisco ASA.
Last time when I setup IPsec tunnel for Fortigate firewall, based on debug I can see where it is failing. Phase1 or Phase2.
In Cisco ASA, which debug commands will tell me where it is failing, how to see traffic comming in from remote end or not ?

Thanks
0
Is there a way to find out who owns a domain even if they have domain Privacy added to their site?
0
Hi

Where can i get the ipsec information is it in the router or Firewall.
0
VPN literally just stopped working for all of our users. No changes that I am aware of. Simple MS VPN connection to a VPN server.

Server side error:
 VPN2-112: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.
PC/Workstation off Network connection error:
Error 619: A connection to the remote computer could not be established, so the port for this connection was closed.

Server-side:
Windows firewall and anything that could be blocking is off. I see the users hit the network via Firepower but then the "Error 619".
If I truly need to provide them with a workstation cert, how do I go about doing this and efficiently for several people.

TIA
0
Good day guys ,
i have two fortigate one in the HQ and other one in Brench
in the first stage i have wan 1 and wan 2 in both side " speicified link and ADSL for internet " 
after that i made wan 3 ADSL also on fortigate of HQ and i make VPN ipsec between two sides
probleme is ADSL 1 of wan 1 and ADSL 2 of wan 3 in fortigate of HQ  don't work when the IP gateway is different , knowing that two adresses of ADSL found in same plage of my ISP ,
if two adresses have same gateway ip adress work very well
really  i found that peculiar
Fortigate 60 E
version 5.6.2
0
Independent Software Vendors: We Want Your Opinion
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Hi All,

Im running an ASR 1000 with version XE 3.13.01.S (15.4(3)S1). Does it support SHA256 and AES256 for ikev1? I know it does for ikev2 but I am not sure about ikev1 both phase 1 and phase 2.
Here is what I found on a cisco website: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

"Support for the NGE control plane (ECDH and ECDSA) has been introduced with Version XE3.7 (15.2(4)S). Initial control plane SHA-2 support was for IKEv2 only, with IKEv1 support added in Version XE3.10 (15.3(3)S). AES-GCM-128 and AES-GCM-256 encryption algorithms have been supported for IKEv2 control plane protection since Version XE3.12 (15.4(2)S) and 15.4(2)T. NGE dataplane support was added in Version XE3.8 (15.3(1)S) for Octeon based platforms only (ASR1001-X, ASR1002-X, ESP-100, and ESP-200); dataplane support is not available for other ASR platforms."

Whats the difference between data plane support vs control plane support?

Thanks and kind regards.
0
I have a ASA5510 and I have the  Management port  config  with 192.168.2.1/24  I configured my computer to 192.168.2.6/24 default gateways is 192.168.2.1 and I can not  get into the  ASA


ciscoasa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging console critical
logging monitor critical
logging asdm informational
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout …
0
I'm having difficulties with setting up a new site to site vpn to two other sites. I currently have a site to site working with from the 128.0 to the 2.0 networks.  I have a new site which I'm trying to configure a site to site vpn to the other two sites through the vpn wizard and they aren't connecting.  I went through the ASDM site to site vpn wizard and it worked for the first one but it doesn't for the new site to the others.  I have included the configs below.

192.168.1.0 NETWORK
:
ASA Version 9.1(6)
!
hostname ciscoasa
enable password OlOxQ1nyrZ49h6MK encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 104.201.x.x 255.255.255.252
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network EMAIL
 host 192.168.1.253
 description Woodchuck
object network Webserver
 host 192.168.1.254
 description ETIMAIN
object network cl
 subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network SC
 subnet 172.172.128.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list…
0
Very strange, this morning when I turned on the computer I got a message that Malwarebytes (I have Pro version) has been turned off. When I turned it on, the option "Protection against malicious code" was switched off, and I can not switch it on! All other options are selectable and can be switched on, but not this option.

Last time I was in Manila I had similar problems with strange things happening. Then when I left the problems disappeared. And most often here in Manila I get warnings when connecting to the hotel wifi about insecure network or dangerous connection.

All kinds of small problems since 2 days when suddenly I got this problem with the message "Waiting for proxy tunnel" in Google Chrome and "TLS handshake" in Mozilla Firefox:

https://www.experts-exchange.com/questions/29058931/How-should-I-get-rid-of-the-message-Waiting-for-Proxy-Tunnel-in-Google-Chrome.html

Other problems: Can not use Google API any longer for connection to Google Translate API for my CAT tool. Can not switch input language any longer. Can not run Windows Update any longer:

https://www.experts-exchange.com/questions/29058918/Why-do-I-get-Windows-could-not-search-for-new-updates-in-my-Windows-7-Home-when-checking-for-updates.html

Other problems (continued):

Takes ages to save a text document or other document ("Not responding").
"Google has authentication problems" when logged in to Gmail.

Etc. etc. (new issues coming up all the time).
0
Hi,

I have 2 Windwos server 2008 R2 which going to promoted as domain controller. both of the servers are located in different location.

Server-A which at location A is using subnet that routable across their network from various offices, but server-B is setup behind private LAN which required NAT configured in order to communicate with server A.

we proposed to use Windows IPSEC for these 2 servers to communicate for AD traffic.

I setup the environment in our Lab, the IPSEC works if with no NAT configured in between. however if I turn ON NAT at 1 of the site, server-A can't ping server-B via its real or NATed IP.

Server-B is able ping to server-A's real IP.

I tried steps from this article, https://it.cornell.edu/managed-servers/secure-windows-traffic-ipsec but no luck still.

Appreciate if any experts has came across to this before.

thanks
0
After I've configured the device I can't get out to internet via any of the pcs.  I can access the 5505 from and outside computer and can configure it via the ASDM so I'm not sure what the problem is.  Can someone verify my config below?

ASA Version 8.3(1)
!
hostname ciscoasa
enable password OlOxQ1nyrZ49h6MK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object network SCETI
 subnet 172.172.128.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object SCETI
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source …
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.