Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi,

I have a problem to establish call session between two sites over gre tunnel ipsec. The tunnel is up but I am Unable to set a call. I think the problem is Nat but I don't know how to fix it.  It's seems like the traffic were blocked in the beginning of the tunnel.

You can see the configuration files in attached.

 

Best Regards,

 

Aristide
0
CompTIA Network+
LVL 12
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

Dear expert,

I have bought a Samsung smart TV. I am looking for trusted and secure IPTV to install it. And secure IPTV vendor including Bein Sport, OSN, US channels, UK BBC...etc

a friend of mine advice me to install KODI but it is showing on the samsung store.

Thank you in advance.
0
Hi guys

As part of the last question I asked about firewall rules, I am looking at our firewall right now and monitoring the traffic. I'm looking at the traffic between VPN connections from our stores to a main server. These stores are all using the same application to communicate with the server. However, I'm looking at the server and it is receiving connections from our various stores, but every single store is communicating via a different port. So one store will be coming through port 4274. The other one will send it via port 4288. My point is, are applications specifically written in this way to prevent security breaches from happening by constantly randomising their port sequences so that they can't be 'guessed' by a malicious attacker?

And if that is the case, surely going back to the answers being given previously, this does warrant the ability for the 'ANY' ports to be open from site A to site B via VPN.

Thank you
Yash
0
I have a watchguard M270, the customer has a hosted server they connect to via ipsec. What policy could I enable to allow the ipsec vpn outbound.
0
Hi all,
I have a FW problem,
I've got two fortigate firewalls connected by IPsec VPN which is working great. users can connect to the main site also with SSL VPN. The problem is that when an SSL VPN user can't get to the remote site computes,
The main site address is 192.168.1.0/24,
The remote site address is 10.0.0.0/24
The SSL VPN address is 172.16.0.(100-110).
The phase 2 in the IPsec VPN is configurd with 0.0.0.0 and I've tried all the policies from the cookboos I could find but I still can't get it to work. The SSL Tunnel is split and the remote site address is configure in it.
What am I doing wrong?
Is there any suggestions on how can I resolve it?

Thanxs in advance
0
ipsecvpn.JPG




We  have  a network similar  to the diagram  shown above ,,
And  we  want  to configure IPSEC  IKv1 VPN between 2  sites .  we  have  A cisco  4321 Router at Branch A and  A Palo Alto firewall on  the  other end  …

After  doing  the well known configuration provided by Cisco at

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

we found  that  we  still could not  form  a successful a tunnel  between sites ,,   ..  
we  think that  there  a hope or a firewall somewhere in the  WAN path  blocking or  filtering
the  IKEv1  traffic  and  ICMP

so  the Questino consist of  two  parts :-

First :-   Kindly  provide  us  with  your suggestion regarding the proper an optimim configuration for the
Devices  at  both ends

Second :-   In  the  WAN  how  could  we  specify  the hop that  filter that traffic exactly ?
                          We  want  to prove that one hop is blocking or filtering IKv1 and ICMP traffic
              Then how could we find and prove that it  prevents specific data traffic  ?
0
On a Fortigate I wish to send traffic from an internal subnet through an IPSec VPN rather than straight out to the internet.

I have created a Policy Route as follows, but traffic still goes out the internet interface and not though the VPN.

Here's the config - testing traffic coming from IP 172.16.1.59 goes to the VPN 'test2'

Thanks

Capture.PNG
0
I'm trying to setup a IPSEC VPN tunnel between a Draytek 2860 and a Cisco ASA 5520.

I did manage to establish the VPN connection before but now I am unable to connect. Here are the logs from Draytek Syslog

2018-08-13 01:41:29	 [IPSEC][L2L][5:WMH_PXP1][@xx.xxx.x.xxx] IKE link timeout: state linking
 2018-08-13 01:41:26	 IKE <==, Next Payload=ISAKMP_NEXT_N, Exchange Type = 0x5, Message ID = 0x0
 2018-08-13 01:41:20	 IKE <==, Next Payload=ISAKMP_NEXT_N, Exchange Type = 0x5, Message ID = 0x0
 2018-08-13 01:41:16	 IKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
 2018-08-13 01:41:16	 Accept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
 2018-08-13 01:41:16	 IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
 2018-08-13 01:41:16	 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
 2018-08-13 01:41:16	 [IPSEC/IKE][L2L][5:WMH_PXP1][@xx.xxx.x.xxx] Initiating IKE Main Mode
 2018-08-13 01:41:16	 Initiating IKE Main Mode to xx.xxx.x.xxx
 2018-08-13 01:41:16	 Dialing Node5 (WMH_PXP1) : xx.xxx.x.xxx

Open in new window

0
Because I am taking over for an ex-employee, I am tasked with finding out why a visitor who's logged in session times out 24 hours after inactivity can still see certain things that they should only be able to see when logged in, like special pricing. It was originally designed this way, because the boss wanted government customers who have logged in at some point to always be able to see their government pricing, whether they were currently logged in or not. Now, that decision has been reversed, and we only want them to see their government pricing if their current logged in session is valid.

we use Symfony2 on Unix / Apache if that matters

I have no idea if it's a cookie, a session, or whatever else

I know we utilize both but I don't know if the answer lies in either place
0
I'm looking to put together a document that basically states why we need to replace 5 or 6 switches and need a template that will have ROI, business reasoning for the change and possibly cost analysis.  I'm not familiar with the process, but I would like to get this going and I'm assuming there might be some type of template available?  

I'm also looking into proposing an ISE implementation as well and also need some type of documents or templates for completing this as well.  We presently have 3560s in the environment and we're looking to replace these devices with the latest and greatest that will also be OSPF complaint as well as ISE complaint we well.

From the ISE point-of-view, we might be looking to having a virtual appliance and also wanted to the know the pros/cons to this as opposed to having a physical device, if any.  Maybe the difference in cost as well.
0
Webinar: Miercom Evaluates Wi-Fi Security
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

I have a Netgear FVS318N, and it has worked great for our needs in a small business.
 Of  Course netgear is no longer  Supporting any utm or small business fire wall VPN routers.
What is a good alternative to this level of a fire wall with good VPN
IPsec or SSL VPN.
We really don't wanna spend $2000 or even a $1000 is there anything in that mid range? the netgear FVS318 and was only about $200.
 any suggestions thanks
0
Draytek to Cisco ASA IPSEC vpn issue
I am sure its just a mismatch but wondered if anyone with more knowledge can tell me what to change on draytek to get it to connect.

Draytek set to
Dial Out
IKEv1
Pre shared key entered
High (ESP)
AES (with encryption)
  Phase 1 proposal : auto
  Phase 2 Proposal : AES256_SHA256
Key 1 lifetime : 86400
Key 2 Lifetime : 3600
PFS : enable
Local ID blank


Here is the cisco config for VPN

crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac

crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400


crypto map site-to-site 100 match address CCTV-TSI-VPN
crypto map site-to-site 100 set pfs
crypto map site-to-site 100 set peer 8x.xx.xx.xx
crypto map site-to-site 100 set ikev1 transform-set ESP-AES256-SHA
crypto map site-to-site 100 set security-association lifetime seconds 3600
crypto map site-to-site 100 set security-association lifetime kilobytes 4608000
0
Hi Experts

Could you point if  phpCAS that uses API for authenticating users against a CAS server (WebSSO CAS) could be integrated at an existing Codeigniter project?

CAS - Central Authentication Server

I'm implementing a SSO (Single Sign-On)  funcionality to allow a web app conexion based on user id and  correspondent user's data obtained from LDAP (AD-Active Directory)

phpCAS

I'm planning to implement the SSO functionality at PHP Codeigniter's site index.php.

Thanks in advance!
0
Scenario 10
This article is about building Dynamic Multipoint VPN tunnels in Cisco CSR1000V router with IOS XE. There are two CSR1000V hub routers configured with dual hub dual cloud Phase 3 DMVPN.
0
I have 2 sites connected via IPsec VPN but I cannot connect to services across this VPN.

 

The tunnel is active and I can send ICMP in either direction but I can't connect to any of the internal resources. This had been working previously for a while (years) without issue and just recently cropped up, no changes have been made to the networks.

 

Site A: 192.168.1.0/24
Using a Ubiquiti EdgeMax Router firmware 1.10.5

Site B: 192.168.2.0/24
Using a Cisco RV042

 

auto-firewall-nat-exclude is enabled, can ping across VPN, running latest firmware, rebooted device, rekeyed the tunnel, destination server firewall is allowing incoming traffic

 

Here is my tunnel sa and a ping showing that I can get across.

 

unifisa.PNG
 

I can also ping from the remote site to 192.168.1.0/24

 

From Site A I can access a local website at Site B, but I cannot connect to local resources at Site A from Site B which is what we really need.
0
Scenario 9
This article is about building Dynamic Multipoint VPN tunnels in Cisco CSR1000V router with IOS XE. There are two CSR1000V hub routers configured with single tier Phase 3 DMVPN Cloud.
0
Scenario 8
This article is about building Dynamic Multipoint VPN tunnels in Cisco CSR1000V router with IOS XE. There are two spoke routers connected to single tier Phase 3 DMVPN Cloud hosted on CSR1000V router.
0
Scenario 7
This article is about building Dynamic Multipoint VPN tunnels in Cisco CSR1000V router with IOS XE. There are two spoke routers connected to single tier Phase 1 DMVPN Cloud hosted on CSR1000V router.
0
Will submitting a login form with a POST request over HTTPS be enough security or are there other precautions I should take? This project is also being built in Angular if there are any specific considerations.
0
Bootstrap 4: Exploring New Features
LVL 12
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

All of a sudden last Friday, users have started having problems accessing some secured (banking, CC processing) sites & I'm not finding any indicators as to why.
I'm running a sonicwall TZ 300 & can't seem to find any info in any log files that would point me in the right direction. when going to certain sites, I just get a waiting for site message on tab & page never loads.
any suggestions?
0
Scenario 6
This article is about building a Route Based site to site VPN tunnels with Redundant Routers in DC (HUB) in Cisco CSR1000V router with IOS XE. There are four Route Based IPsec VPN tunnels configured on two CSR1000V routers as redundant routers pair.
0
I'm looking for some guidance on how to allow Remote Users to access system applications. We currently are running a phase 1 setup where users are sent home with company equipment and use Sonicwall Global VPN software and Remote Desktop to remote into their own computers, located on site.

This is not, however, ideal, as it requires equipment on both ends.

Ideally what I'm looking for is to have a way for a user to have equipment at home, use a secure VPN connection with the Sonicwall Global Client, and then have the user access a desktop that is not in use. One way, obviously, is to have a bank of PC's with one dedicated to each person, but this seems cost prohibitive. So my thought is a virtual desktop.

I currently have two Windows 2016 Servers running my main system, including DNS and Active Directory, among other, core services. Is there a way I can build virtual desktops within that server? Should I have a separate server dedicated just to this task? What would be my starting point? Would I use Microsoft's built in Hyper-V? Would I use VMWare in some way?


The first group will probably be only 5-10 users, though this number may go up. I know there are options like Citrix which would provide a web interface but the way our applications are setup they would require a direct connection and so I don't know if Citrix and the like would work, though I am looking into this as well.


We have hundreds of available DHCP over VPN connections through our …
0
Hello Experts - I am planning to replace our web filtering service next year and wanted to get some ideas and opinions on what works for you.  We're currently using Websense which I've never been a big fan of.  I'd like a solution that does a good job of clearly reporting web activity that can be easily understood by non-technical managers and helps prevent users from accessing sites that they shouldn't, preferably with an easy to use interface.  Please let me know what you think, thanks!
0
how to setup IPsec VPN between Mikrotik and Fortigate routers
0
We have 5 site's.  4 are using a Cisco RV320 router and the 5th is using a Secure Computing router.
They each have a hardware VPN Tunnel to Rogers Hosted Servers.  This provides the end user's access to an application on their network that is crucial to running their business.

Rogers is changing the WAN IP.  Therefore, we have to change each site's Router's VPN Remote WAN IP so the VPN continues to function.  
Once the IP's are changed, the VPN comes back up and connection between both end's is established.  However, we can no longer ping behind the LAN on Roger's end over the VPN tunnel therefore can no longer access the required application via the VPN Tunnel.

Roger's believes this is a setup issue on our end, however, nothing has changed except the Remote WAN IP on the VPN Tunnel to their side.  This has also been tested on 4 of the 5 sites.  3 of them Cisco RV320's and 1 Secure Computing Router.  No changes have taken place in the LAN or WAN at these site's either.

The VPN policy being used is as follows:

Key mode:
IKE with Preshared key

Local Group Setup:  
Defines the local site WAN IP and local Subnet

Remote Group Setup:
Defines the remote site WAN IP and the remote LAN Subnet

IPSec Setup:
Phase 1 DH: Group 2 - 1024 bit
PHase 1 Encrypt: 3DES
Phase 1 Auth: SHA1
Phase 1 Lifetime: 86400
Perfect forward secrecy: NA
Phase 2: Encrypt: 3DES
Phase 2: SHA1
Phase 2 Ligrtime: 3600

Additional Settings:
Keep-Alive Enabled
Dead Peer Detection …
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>