Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

There is a way to configure vpn anyconnect logging to track one particular username. Once the user logs in to VPN, the ASA will email the log to email address. I used to knew the website that assisted with this config and I can no longer find it. Does anyone know the syntax for this?
0
Are You Ready for GDPR?
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Hi,

I have 2 Windwos server 2008 R2 which going to promoted as domain controller. both of the servers are located in different location.

Server-A which at location A is using subnet that routable across their network from various offices, but server-B is setup behind private LAN which required NAT configured in order to communicate with server A.

we proposed to use Windows IPSEC for these 2 servers to communicate for AD traffic.

I setup the environment in our Lab, the IPSEC works if with no NAT configured in between. however if I turn ON NAT at 1 of the site, server-A can't ping server-B via its real or NATed IP.

Server-B is able ping to server-A's real IP.

I tried steps from this article, https://it.cornell.edu/managed-servers/secure-windows-traffic-ipsec but no luck still.

Appreciate if any experts has came across to this before.

thanks
0
After I've configured the device I can't get out to internet via any of the pcs.  I can access the 5505 from and outside computer and can configure it via the ASDM so I'm not sure what the problem is.  Can someone verify my config below?

ASA Version 8.3(1)
!
hostname ciscoasa
enable password OlOxQ1nyrZ49h6MK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object network SCETI
 subnet 172.172.128.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object SCETI
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source …
0
I need to look at a website. It is not a pentest itself. Just a vulnerability scan. What tools could I use to generate a complete report?
I also need to generate a less technical report.
0
2
Hello;

Am facing an issue where my Cisco ASR 1002-X keeps rebooting itself at random time. When i run the show version, i can see the reason for reload is: critical process fault, fman_fp_image, fp_0_0, rc=139

On my syslog server, i keep getting this error: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:171 TS:00000041045846946120 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error,

 I dont know if that could be the reason of my router reload or if it's an IOS bug, am running asr1002x-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin.

 
Your help will be highly appreciated.
0
Good morning everyone. Let me describe my environment - I have DA setup on server 2016, running on 2 servers and loadbalanced on a Kemp. NLS servers are on dedicated, clustered servers as well. Direct access seems to be running ok but every day I get a random user calling with the same issue as the other.

Scenario: Users are outside the network connected through DA. Their DA connection will drop and I will get the these errors in the event log of the DA server they are connected to (events attached) "An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted." and "An IPsec main mode negotiation failed.". Then Direct Access will be stuck in the connecting status. The user then simply shuts down and calls it a night. When they come into the office the next morning, they log into the network but their computer's network domain is on public or private and not to ourdomain.local. The only way to fix it is to pull out the DA registry keys and reboot - although this is not a good or safe solution. I have verified the NLS servers are up and accessible. And again, it doesnt happen to everyone, only about 1 out of every 5 users.

What would make the local computers come up on the public or private network right at bootup?

Any help would be GREATLY appreciated!
1.txt
2.txt
0
I need a web service to remain secret and would use CloudFare or a similar technology to prevent DDoS attacks. Aside from DDoS, what other types of attacks are possible?

I assume my web service domain would be totally hidden, but need to be sure there is no other known threat to it.

Thanks
0
What options are there to protect a web service from a DOS attack?

IF the web service were accessed only by my Objective-C iPhone application, and nowhere else, is this web service protected by the "security through obscurity" model? Or, can hackers crack open the source code of the iPhone app, like Apple can?

What about if I put the URL to the web service into the SQLite database and encrypted the Path?

So, when my app needs to request information from the web service, it does a DB lookup in the SQLite database for the path to the web service. When it gets it, it decrypts it. Then, using a variable (in memory) only, it makes the web service call.

Does this protect from a DOS attack to that web service call?

Are there easier ways?

Will this work on Java for the Android?

What about on my website?

Thanks.
0
I am troubleshooting a connection issue for two sites connected over ipsec l2l tunnel. It's occasional. TCP traffic conversation ages out. Is there a way to see when the tunnel went down or up in the previous 24 hours?
0
Independent Software Vendors: We Want Your Opinion
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

I am creating site to site ipsec vpn tunnel with cisco asa 5506x and 5555. Now the 5506x firewall i m keeping it in dmz. Can i keep the outside int and inside int ip  of 5506x in same subnet.
0
In response to your need for cybersecurity and privacy, we developed the ability to ask questions anonymously! Check out our latest video explaining this feature available to Premium members, Qualified Experts, and Team Accounts.
2
It seems Sky have changed their email servers to Yahoo and with it, changed the security settings. Until the other day all was working OK but then email stopped arriving. Sky deny all knowledge but from a conversation I had with their support team about another client I've been working with, and research I've done on the Internet it seems that the Sky incoming email servers have changed.
For IMAP it was imap.tools.sky.com and is now imap.mail.yahoo.com
For POP it was pop.tools.sky.com and is now pop.mail.yahoo.com

My client is using POP mail with Outlook 2010 so I have changed the server to pop.mail.yahoo.com and set port 995 and SSL=Yes but it still won't connect. Outgoing email is OK using the same username and password as incoming so that verifies the credentials. (I can also login to sky.com using the credentials).

Is there something I've missed?
0
Can loved one's or family members see my credit report if I put a security freeze on it?
0
We currently use OpenVPN, as well as L2TP over IPSec VPN on our Linux servers (CentOS 6.x mostly). Both VPN servers are running properly. However, while each of the physical servers have several IPs assigned to them, the VPN is always able to run on one IP address only.

What we need:

A user connects to our server (either via OpenVPN or via L2TP over IPsec VPN), the server picks a random server IP address instead of just one for all users.

Basically, what we need is a server side IP address rotation for the VPN.
0
There is an IPSEC tunnel from a SRX240H2 to a Sophos UTM 9.

The tunnel is up most of the time but goes ocassionally down. And I wonder if the following could be related to the problem.

When the Sophos appliance sends this (from capture on the SRX):

Frame 10273: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Juniper Ethernet
Ethernet II, Src: Cisco_xx.xx.xx (30:e4:db:xx.xx.xx), Dst: Netscreen_xx.xx.xx (00:10:db:xx.xx.xx)
Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 284
    Identification: 0xffe2 (65506)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 57
    Protocol: UDP (17)
    Header checksum: 0x15b1 [validation disabled]
    [Header checksum status: Unverified]
    Source: 2.2.2.2
    Destination: 1.1.1.1
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
    Initiator SPI: 91ee52a313c081d6
    Responder SPI: 0000000000000000
    Next payload:…
0
Hi Sir,

Would like to ask for your help about the problem listed below,

[Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xccb797a8) not found (maybe expired)

Hoping that you can help me resolve this matter.


Thank you in advance.
0
Hi again everyone -

So sorry to be a pest. Now that I have my ASA 5505 up and running with successful Internet access by devices on my LAN, I can't seem to get my DMZ to gain internet access. Nor can I get a simple IPSec site-to-site VPN to work.  This is really frustrating as the ASA on the other side already participates in another separate site-to-site VPN (setup by me) which works just fine.

I have looked at NAT rules and access rules and can't seem to find the difference. The only thing I did differently on this VPN was try Diffe-Hellman Group 1 as group 2 settings didn't work.

Below is the sanitized config of the ASA that has a working DMZ and a working VPN as well as the non-working VPN.  I have replaced my static public IP with xx.xx.xx.xx and the peer IPs in the VPNs are vv.vv.vv.vv for the one that works and ng.ng.ng.ng for the one that doesn't work.

I will return to this post momentarily and add a comment with the running configuration of the ASA at the other site.

Thanks in advance for any help.

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password /zzzzzzzzz encrypted
passwd zzzzzzz.zzzz encrypted
names
name 192.168.1.0 dmz_outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 
0
I would like to understand the difference of persistent connection and keep alive. Is it only applicable to HTTP protocol? Thanks!
0
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

I freeze my credit report from 3 beaurues. Equifax, Transunion, Experian. I did that because some people knows my social and date of birth and I don't want they knows my new address. My question is what other agencies i can use to freeze my credit history?
0
2
Hello,

Trying to create a Site to Site between our TZ215 and Azure:
VNET1 - Address Space     = 10.1.0.0/16
               Subnet  range      = 10.1.0.0/24

GatewaySubnet                  = 10.1.1.0/24

Virtual Net Gateway           = VPN
                                               = Policy-based
                                               = VNET1
                                               = VNET1GWIP  (created Public IP)

Local Net Gateway             = RP_OFFICE
                                              = Public IP address of SonicWALL
                                              = 192.168.250.0/24 (LAN network on SonicWALL)

Connection                          = Site-to-Site (IPsec)
                                               = Virtual Net Gateway
                                               = RP_OFFICE
                                               = Shared key that matches what's configured in the SonicWALL

SonicWALL:
 General Tab                         = Site to Site, IKE using Preshared , IPsec Primary = Public IP of Azure, IPsec Secondary = 0.0.0.0, Local & 
                                                   Peer IKE ID = IPv4 address
Network Tab                         = LAN Subnets, Azure LAN network
Proposals Tab                       = Main Mode, Group 2, AES-256, SHA1, 28800, ESP, AES-256, SHA1, 3600
             
Seeing the following in the SonicWALL log:
  SENDING>>>> ISAKMP OAK INFO …
0
Sir,
i have establish a vpn server in windows server 2012 R2 adn its works fine but when i try to connect with the 2nd server (The DATA Server) it shows nothing. please let me know that how i can connect the server using vpn connection.

Thanks

Asad Rehman
0
We have issues while setting up client VPN on TP-LINK TL-ER6120 and TL-ER6020 routers. Even when it is connected, we are unable to ping the inside hosts.
0
I have a TZ105 and i setup SSL VPN with NETBIOS enabled. I configured the Client Settings DNS Server address for our internal dns server. So i can now ping hostname.domain.local but cant ping hostname. Any Suggestions?
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.