Internet Protocol Security

5K

Solutions

2

Articles & Videos

8K

Contributors

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I know that my cipher suites are causing the issue with not being able to connect to certain sites - I'm not sure how or why but somehow it's only allow HTTP connections and is not allowing HTTPS connections (windows update can't check for updates, can only browse http websites)

I also can't connect to my IIS site as it's HTTPS as well - there are no errors in the logs

I know the cipher information is in computer\HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

What do I need to do to check/fix to allow both http and https connections on this server?

See attached photo

I've seen this issue before but cannot for the life of me remember what I need to do to resolve it

IIS 7.5 - Win Server 2008 R2
experts_exchange.PNG
0
Free NetCrunch network monitor licenses!
LVL 4
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

It happens I need to keep my laptop (Windows 10 Home) powered on during night to save time for a lot of opened websites and documents I don't want to open anew each morning. But often when I resume work in the morning, the laptop is very slow when switching between the website tabs in the browser, and probably I get virus or other problems during night.

Is there any way I can protect it during nighttime, for example by turning off all ports? Otherwise, I only put it in sleep mode as it is now, but still it seems to get infected during nighttime.
0
I feel like this is a simple fix but I'm kind of tearing my hair out here.

Scenario:
Client has 2 sites A & B

Site A: remote office, no AD server on site but existing ASA 5505 with anyconnect  licenses
Site B: cloud hosted servers including AD with ASA 5585 with anyconnect licenses.

The users can connect to either, depending on what resources they need and the availability of licenses, and they both authenticate with LDAP.

Site B network:
10.10.0.0/24
ldap server 10.10.0.10

LDAP auth works fine here. No worries.

Site A network:
10.10.100.0/24
ldap server 10.10.0.10

LDAP is not working. Traffic works between these 2 networks just fine, everything is up and running, all devices can see the ldap server (windows, btw) BUT the ASA cannot connect to the 10.10.0.10 server when testing.

[-2147483634] New request Session, context 0x00007fff2a7fdfe8, reqType = Authentication
[-2147483634] Fiber started
[-2147483634] Creating LDAP context with uri=ldap://10.10.0.10:389
[-2147483634] Connect to LDAP server: ldap://10.10.0.10:389, status = Failed
[-2147483634] Unable to read rootDSE. Can't contact LDAP server.
[-2147483634] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[-2147483634] Session End

I just can't seem to figure out why? ASA ping tests and packet trackers work fine from 10.10.100.0 to 10.10.0.10 and visa versa unless I use the source ip as the inside interface ip of the ASA itself. This seems like normal behavior?

I'm more of a …
0
Hi,
 
I have a Windows 2016 Hyper-V server box that came with two network cards. First NIC is connected to internal LAN (192.168.1.x) and 2nd NIC is connected directly to ISP Internet modem (therefore, it receives a dynamic public IP address given by ISP DHCP server). On 2nd NIC,  I intend to create a virtual machine ("TESTVM") where I like to try to open some suspicious email attachments or click on website links (to find out whether they are malicious). I have installed Malwarebytes Anti-Exploits/Anti-Malware/Ransomware on this VM and it sends me email alerts whenever it detects "suspecious" activity.
I plan on connecting to this VM thru remote desktop connection program (port# 3389, 3390 .. etc) using Dynamic DNS.
Having said that, I know a lot of experts would go against the idea of exposing the server to public internet.

I know that I could put another router (192.168.2.x) between 2nd NIC and ISP internet modem to enhance security, but what I like to know is how am I venerable as it is?
How could hackers penetrate to this server when the only account is "administrator" with secure password?

Thanks you for your insight.
0
Is it possible if any one knows my social security number and date of birth can pull my credit history?
0
Hi, So this used to work so I am baffeled at the moment. Lets say the networks are below.. 2 Cisco ASA 5501 one on side 5510 on other.

TUNNEL IS UP:
VLAN location 1: X.X.20.0 /24
VLAN location 2: X.X.30.0 /24

I see on both asdm the icmp packages being transmitted, "built" never says fail.  but it does not ping on local clients.
if I do a traceroute from 5505 it atleast goes out a few hops.
but if I go to the 5510, I get zero hops, as if its not leaving the asa at all..

I see network objects defined for both, I have static routes defined for both

anything I am missing ? without me pasting my config I mean, just anything very obvious?? TY ALL
0
Need help on configuring IPsec VPN site to site VPN Tunnel between two sites. But the requirement is that I have to NAT all my local subnet (e.g. 10.1.1.0/24) to single IP (e.g. 172.16.0.50/32) and send it through the tunnel for remote traffic (e.g. 10.2.2.0/24). Please see the attached diagram for details.

I am OK setting up IPsec Site-to-Site Tunnel using the wizard between local network 10.1.1.0/24 to remote network 10.2.2.0/24.  But this specific remote site require we NAT all our local network to a single private IP and send it over the tunnel... as they will only accept traffic from this NATed single private IP (172.16.0.50/32) only.

Cisco ASA 8.x
Drawing1.PNG
0
As this is a proprietary app developed some time ago, it does not come with
an audit logging & it became an audit finding.

I'm proposing a 'video-recording' of users session to be implemented as
compensating controls.

Anyone can suggest any tool to do such video recording such that when
the thick client is executed, it will start video capturing the screen &
upon exiting the app, the recording stops & gets saved.

2 tools below was found while browsing the Net but our applications
developer retorted they're not the right products:

Apps guy: VSTS below seems to be only applicable to web applications? True or False?
https://social.msdn.microsoft.com/Forums/vstudio/en-US/5f413bcd-3b5f-4e3b-bf21-f70bd08e4408/how-to-record-a-thick-client-application-with-vsts-ultimate-2013?forum=vstest

Apps guy: JMeter works by pushing thick client traffic through JMeter proxy which detect traffic
and record it into JMeter HTTP Requests & this JMeter proxy is located out there in the Internet
& using this solution means pushing sensitive data out there into Internet.   True or false?
http://www.jmeter-archive.org/Recording-Thick-Client-td5719409.html
0
Hi,

I'm french, so my english isn't perfect...

I have a client with this network :
- 10 remote sites with CISCO ASA 5505 connected to a CISCO ASA 5520 (in the main agency).

Example :
A is connected to B (IPSec Tunnel)
B is connected to C (IPSec Tunnel)

I would like for site A to be able to get to site C through site B without create a new VPN Tunnel...

I don't know how I can do that...
0
I need to do a site to site IPSec VPN with an outside vendor so they can access a server on my network. On my end I am using a Cisco RV320 Small Business VPN Router. RV320 Manual.

The vendor and I both use the same subnet 10.1.10.0. Neither of us can change our subnet.

My office is pretty small so all network devices were on the default VLAN. No other VLANS were defined.

To try to work around the subnet problem:
  • I created a second VLAN - 10.1.12.0.

  • I setup the VPN to connect to that VLAN
  • I wired the server to LAN3 on the Cisco.

  • I used Port Management > VLAN Membership and set Inter VLAN Routing to Disabled for both VLANS.
  • For VLAN1 (10.1.10.0) I set LAN1 and LAN2 to untagged / LAN3 and LAN4 to excluded
  • For VLAN2 (10.1.12.0) I set LAN1 and LAN2 to excluded / LAN3 and LAN4 to untagged
  • For VLAN2 (10.1.12.0_ I set Device Management to disabled

The outside vendor can connect, access the GUI for router (which they shouldn't be able to) but not access the server on port 80.

The way it is setup, it should connect the vendor to my network, and they should just be accessing the 10.1.12.0 subnet. The server they need to access is 10.1.12.13 (static address, the only …
0
On Demand Webinar: Networking for the Cloud Era
LVL 8
On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

I have the above phone trying to VPN with a Dell SonicWall TZ400. When I put in the VPN information, listed below, the phone fails and gives me error codes that Phase 2 no response. I will list the three error codes I also see, if anyone can point me in the right direction.

SonicWALL

SonicWall VPN Settings:

Policy Type: Tunnel Interface
Authentication Method: IKE using Preshared Secret

IPsec Primary Gateway Name or Address: 0.0.0.0

IKE Authentication:

Local IKE ID: Domain Name
Peer IKE ID: Domain Name

IKE (Phase 1) Proposal:

Exchange: Aggressive Mod
DH Group: 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800

IPsec (Phase 2) Proposal:

Protocol: ESp
Encryption: 3DES
Authentication: SHA1
Enable Perfect Forward Secrecy: Checked
DH Group: 2
Life time: 28800

In advanced tab, the only thing checked is Keep Alive.

PHONE

Server: 50.XX.XX.209
IKE ID: VPNPhone
PSK: *****
IKE Parameters: DH2-3DES-SHA1
IPSEC Parameters: DH2-3DES-SHA1
VPN Start Mode: Boot

Password Type: N/A
Encapsulation: RFC
IKE Parameters: DH2-3DES-SHA1
IPSEC Parameters: DH2-3DES-SHA1

Copy TOS: No
File Srvr: Blank
QTest: Disable
Connectivity Check: Never

Errors

1/3
IKE Phase1 received notify
Error Code: 3997698:18
Module: NOTIFY:305

2/3
IKE Phase2 no response
Error code: 397700:0
Module: IKMPD:353

3/3
IKE Phase2 no response
Error code: 3997700:0
Module: IKECFG:1184
0
Any simple and good reference to explain the difference between time-based one time password and traditional OTP?  

Besides,  what are the risks and concerns of using freeware token app, e.g. FreeOTP?
0
I open up Internet Explorer or Edge on a WIN10 computer but I am not able to go to any website.

However, I am able to ping the default gateway of my home router,  ping the public DNS IP and get the DHCP address.  

What could be the reason?
0
Hi Experts,

On our public-facing OWA server on IIS 7, we turned on IP Address and Domain Restriction. If from the log we detect any IP trying brute force to log into our Web Outlook interface, we will put the IP into "Deny Restriction Rule" in the hope that IP will be 'blocked', meaning not even able to get the login screen. Actually it seems to be a wishful thinking since we noticed one of the IP we already added in the 'Deny' list that particular ip still keeps showing up in the log and we can see it got the login form and then denied with sc-status 401-1.

My question is, it seems this feature does NOT "block" the IP from getting the login form, but instead simply "deny" their login request. Is it correct?
0
Hi experts
 I bought UNV ip cam without NVR
I used the EZstation management software instead of the NVR but I found that application useless and very difficult to use
I need help to find another ip cam server and client application i can use for these cameras model
0
I ran a PCI test on our server and found two small issues, perhaps someone here knows how to resolve.

1. Windows specific file path was detected in the response.
WAS Result:  E:\web\favicon.ico
WAS Result:  C:\Web
Proposed solution:  The content should be reviewed to determine whether it could be masked or removed.   (I don't know how to do this)

2. The Web server can be triggered to reveal the absolute path for the Web root directory and/or other software installed on the host.
WAS Result: Some HTML code  (BlueDot Azure Server port 80/tcp)
Proposed solution: Contact the vendor of the Web server for a possible patch for this issue.  (Server is up to date)

3. SQL Error message: The scan observed an SQL-based error message while performing injection tests. However, the message only appears to indicate that a SQL statement in the web application may be corrupted; it may not be exploitable.

SQL injection enables an attacker to modify the syntax of a SQL query in order to retrieve, corrupt or delete data. This is accomplished by manipulating query criteria in a manner that affects the query's logic. The typical causes of this vulnerability are lack of input validation and insecure construction of the SQL query.

Queries created by concatenating strings with SQL syntax and user-supplied data are prone to this vulnerability. If any part of the string concatenation can be modified, then the meaning of the query can be changed.

0
I recall a few years ago that I used a program similar to Skype which allowed me to have private conversations via this tool.

There was some sort of key that I generated on my PC and emailed to the other person, which that person added to this tool. We then have "private" conversations.

Does this sound familiar to anyone? That does tool, or another, offer this today?

Thanks.
0
Hi there!
I have another strange issue, let me explain what is going on.

I have two machines (server1 and server2) with Windows Hyper-V server 2016 (the free one). Both connected in really simple Active Directory. Aditionally I have a management server with GUI server OS.
Both servers was connected to the same switch in my office, so I can establish replication of one VM located on server2 to the server1. Everything is going smoothly for couple of days.

Then I take the server2 and bring it to the remote site where already was Mikrotik router with IPSec VPN tunnel to my Office site. Just after that, replication stops working - so I let it running for some days to let settings settle down. After that days I removed the replication and try to make new one.

There Im getting error:

Hyper-V failed to enable replication.
Hyper-V failed to enable replication for virtual machine 'XXX': The connection with the server was terminated abnormally (0x00002EFE).

On the server1 - in my office - the secondary one, there is event:
ID: 29212
Source: Hyper-V-VMMS
Text:Hyper-V failed to authenticate the primary server using Kerberos authentication. Error: The I/O operation has been aborted because of either a thread exit or an application request. (0x800703E3)

On the server2 - the remote site, there is also only one event:
ID: 32000
Source: Hyper-V-VMMS
Text:Hyper-V failed to enable replication for virtual machine 'XXX': The connection with the server was terminated …
0
"The certificate presented by this website was issued for a different website's address."

The cert I installed on the load balancer was *.internal.foo.com. But the address put into
the browser for this vip would be like frodo.stage.internal.foo.com. Would having the
addition of the stage to the domain name cause the certificate error noted at the
top?
0
On Demand Webinar: Networking for the Cloud Era
LVL 8
On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

What is the importance of this message.
What should I be concerned about? Or When should I be concerned about this?
errr
0
Hello Expert,

I have an issue with an IPSEC configuration on a ASR 1001-X. I use a crypto map based implementation but it's not working. I make a capture on the device facing the ASR and I have no ESP packet out of the ASR. I can ping the remote IPSec peer but nothing else.

Below the configuration, did you see something missing ?

ip vrf Ivrf
 description Clear side VRF
!
ip vrf Fvrf
 description Cypher side VRF (front door vrf)
 
crypto keyring Key_test vrf Fvrf
  pre-shared-key address 4.4.4.1 key toto123
 
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 
 
crypto isakmp profile ISAK_TEST
   vrf Ivrf
   keyring Key_test
   self-identity address
   match identity address 4.4.4.1 255.255.255.255 Fvrf
   initiate mode aggressive
   local-address Loopback2
   
crypto ipsec transform-set ESP-NULL esp-null esp-sha-hmac
 mode tunnel
 
crypto map CRYPTO_TEST 1 ipsec-isakmp
 description TEST
 set peer 4.4.4.1
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set security-association idle-time 28800
 set transform-set ESP-NULL
 set isakmp-profile ISAK_TEST
 match address CRYPTOACL_TEST
 reverse-route remote-peer 4.4.4.1 static
 
interface Port-channel1.419
 description cypher side interface
 encapsulation dot1Q 419
 ip vrf forwarding Fvrf
 ip address 10.58.10.26 255.255.255.248
 standby version 2
 standby 419 ip 10.58.10.25
 standby 419 …
0
We recently converted our site to be a secure site and it works--for the most part. But many visitors are getting messages about installing certifcates or being denied access. From a Mac Chrome user:

"403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."

From an Android Chrome user:

"No certificates found. Chrome has requested a certificate. Agreeing to this request will allow the application to use this certificate with servers from now on. The requested server has been recognized as www.dataautopros.com:443. Only agree to this request if you trust the application. You can install certificates from a ..."

I thought making a site secure (HTTPS) was supposed to just affect the communication between the browser and the server, and that the browser hid all this security stuff from the user and only indicated to the user that the site was secure. What are we doing/not doing that is putting these prompts and issues in the user's face?

The site is www.dataautopros.com.

Kevin
0
Whenever I login to my college LAN network using my credentials on UBUNTU 14.04 (Dell laptop), it shows that maximum login limit is reached.

I am using internet wih my ID and Password, and suddenly it happens, when I am using only one device at a time.

It happens only in UBUNTU and everything works fine when I am on WINDOWS. This limit persists for a long duration (an hour or so).

Plz tell a solution, what can I do? {any command in ubuntu terminal, change DNS, VPN, or anything else}
0
Hi

A client has an IPSec VPN that uses UDP ports 500, 1701 and 4500

Is it possible to capture the packets that are sent in response, are they sent to the same port numbers by any chance ?

thanks
yann
0
I have a remote situation where we have 65 small retail stores and 4 regional offices all connected via IPSec tunnel back to the corporate data center.  Everything is working great.  What I am looking to do is re-configure the Corporate ASA just to make the code easier to manage and even read.

However, the Cisco ASA IOS is not doing what I want to do in handling objects, and it may be that it just will not work.  What I want to do is use objects to create a single VPN "match address" in the crypto map definition and then just have it search through the IPsec "peers" listed in the crypto map set peer command to find the correct peer and establish the tunnel.

Here is a small code example of what is WORKING, and below that is what I want to which is not working.
object network GKY-CORP-LAN
  subnet 172.20.0.0 255.255.0.0
  description This is the Corporate Data Center
object network GKY-BGRO-LAN
 subnet 172.23.0.0 255.255.0.0
 description This is the Regional Office
object network GKY-TVILLERD
 subnet 10.5.21.0 255.255.255.0
object network GKY-NORTHFIELD
 subnet 10.5.24.0 255.255.255.0
object-group network GKY-STORES
 network-object object GKY-TVILLERD
 network-object object GKY-NORTHFIELD
object-group network IPSec-Sites
 network-object object GKY-BGRO-LAN
 group-object GKY-STORES

access-list VPN_GKY-BGRO-LAN extended permit ip object GKY-CORP-LAN object GKY-BGRO-LAN
access-list VPN_GKY-TVILLERD extended permit ip object GKY-CORP-LAN object-group …
0

Internet Protocol Security

5K

Solutions

2

Articles & Videos

8K

Contributors

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.