Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have a domain that is spread out over 15 plus offices scattered around the globe.  All the offices have IPSec connectivity back into Corporate.  Each of the satellite offices has a domain controller onsite.   My problem is this.   When I do a nslookup from our corporate site to domain.com, or attempt to ping or resolve domain.com from corporate, I am getting routed to any of the other domain controllers and not specifically to the ones located on my site.    This is also happening on my other sites.   For example, in Australia, where I have a DC and DNS server, I get resolution to other offices when referencing the domain.    What I want is when I am in an office is for the system to resolve the domain to the local servers first and only pass  to another location should the local devices be unavailable.   We have setup this in sites and services and thought we had it, but DNS just isn't cooperating.
Evaluating UTMs? Here's what you need to know!
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

I built LAN to LAN vpn between two company , both ASA5510 , but when I finished configuring , I do ' show crypto isakmp sa ' ,
then deploy  'there are no isakmp' ,
when I do ' packet-tracer input inside tcp 80 80' , the vpn tunnel could up successful , and ‘show crypto isakmp sa ' has some content :
1   IKE Peer: a.a.a.a
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE    

and two company could access each other , but an strange  thing appeared , after 10 minutes , the vpn tunnel was drop  ,  'there are no isakmp' appeared again ,  I could not do packet tracer every 10 minutes , another method ,  I use a server to ping opposite server all the time , the tunnel won't drop .

here is configuration :
asa5510 A:
access-list QM-test extended permit ip
access-list acl_nat0 extended permit ip
nat (inside) 0 access-list acl_nat0
crypto ipsec transform-set test-QM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address QM-test
crypto map mymap 10 set peer a.a.a.a
crypto map mymap 10 set transform-set test-QM
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
I have been trying to work with Sonicwall support on this issue and have made no progress.  We have been using the appliance in the past with split tunnel enabled but, due to security requirements, we can no longer allow split tunnel.  If we turn it off,  remote users can access internal resources we have configured, but cannot access anything on the Internet. It seems that we need to create a resource which is "anything" on the Internet but we don't know how to do that. We don't see any kind of wild card options.  We have not given our users access to "Any" resource.  We need to specifically define the resource they have access to.  We need an "Internet" resource and then we can give them access to that.  Is this possible.  Or, is there some other way to approach this?

Sonicwall support had us upgrade the firmware to 11.40-468 with the 708 hotfixes but that did not create an options for resolving this requirement.
We're using a Cisco RV320 at one of our locations.
It's primarily used for two Hardware VPN's using IPSec.  Tunnel 1 goes to our hosted server (which has no issues) and Tunnel 2 goes to a Rogers hosted server.

Recently, the Rogers hosted server location changed their WAN IP.  Therefore, I rebuilt Tunnel 2 to point to the new WAN IP and was able to establish the connection and the Tunnel went UP.  All remote LAN IP's and IPSec protocols remained the same, the only change was the WAN IP.

Since this change, accessing remote server resources on Tunnel 2 is intermittent.  i.e in the morning it will be inaccessible, but a few hours in the afternoon it will be accessible  During this whole time, VPN Tunnel 2 remains UP and doesn't go down, we just cannot communicate with the Remote LAN IP....

I asked the Rogers tech to change back to the old Remote WAN IP for testing.  As soon as we changed back to the old Remote WAN IP, all resources became available again.....  We then changed back to the new Remote WAN IP and server resources once again became unavailable.  During these VPN changes, I've made sure to reboot our Cisco RV320 numerous time's as well as rebuilt this tunnel.

In addition to this, we have 4 other locations with the same Cisco RV320 on the same firmware connecting to the old Remote WAN IP of the Rogers hosted server.  We briefly tested the remote WAN IP change on another router's Tunnel 2, and the same issue occurred as it did on the other one.

My …
The Sonicwall OS is 5.x. This is just the base router, no extra licenses for IPS, malware etc... I recently setup L2TP VPN for a couple users - using long and complex Pre-shared secret and each have a very long and complex password... I have been blocking obvious attempts from just IP addresses trying to access a webcam port using the info I found on how to do that - but blocking an IP address from WAN  - doesn't seem to affect efforts of a couple outsiders trying to access via L2TP - I see the failed messages from the different stages... but they keep trying - and added their IPs to my 'Blocked IPs' address object group has no effect.
I want to be able to deny them access to even try to authenticate and get them out of the logs - like blocking IP addresses.
Anyone savvy on the SonicWALL as to how to prevent attempted L2TP connections from undesired sources? Is there a way to create access rules to block from L2TP to ANY or LAN, we have the network on the X0 interface.
My understanding is there is a VPN access list on the SonicWALL - but it does not apply to L2TP.
Thank you!
Dear Experts,

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key iocTOcioc address
crypto ipsec transform-set transet esp-3des esp-md5-hmac
 mode transport
crypto ipsec profile vpn-profile
 set transform-set transet

I have these commands but they are not recognize for the ISR 4321, are there alternate commands?
I have several Dell SonicWALL's in service but with one of them,  a TZ205 wireless-N, I can't remotely manage the Sonicwall.  I can connect to all computers at this remote location from a VPN tunnel, Site to Site.  If I connect to a PC behind that SonicWall I can then connect and manage the SonicWall.  This is an extra step that I don't want to have to deal with.

I've compared settings to my other SonicWalls's but none are the exact same model.  As far as I can tell everything is the same.

What am I missing?
I got a /23 public subnet from my provider with their gateway within that subnet x.x.91.1/23. I configured my FW with an IP address from that subnet x.x.90.1 and ping is allowed on the FW outside interface, I am trying to setup a IPSec vpn from this site back to the HQ. From HQ and my PC at home, I can ping their gateway x.x.91.1 but cannot ping  x.x.90.1. I checked in looking glass bgp table and that subnet is routable on the Internet.
They said that everything is configured correctly on their end and the issue is from my end. I am not sure I agree with them but I am not sure how to validate my argument. Thanks
i have 2 ubuntu servers on in home and one on a remote server and both are running ubuntu server 16.04

i followed this guide to install and configure strongswan https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html

it worked fine on my localserver but not on the remote server even when accessing the my localserver remotely it works just fine

i am stuck .. im not sure what i am doing wrong .. hoping someone on here can help- my host says that my ubuntu install is mostly* stock with little to no mods - though ive noticed some file permissions where changed

https://imlost.me/server.txt https://imlost.me/client.txt
I am trying to submit a form on nyc (New York City) website I get a error

You are coming from an invalid URL. Your request will not be processed. Please go to www.nyc.gov
NYC.gov policy does not allow you to test online forms from remote servers or hard drives.

I tried IE Chrome and  Mozilla all the same results, except that in Mozilla when clicking submit I get a msg

The information you have entered on this page will be sent over an insecure connection and could be read by a third party and provides the following link https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox?redirectlocale=en-US&as=u&redirectslug=how-does-content-isnt-secure-affect-my-safety&utm_source=inproduct

It is not related to a antivirus  program since I uninstalled all and had the same result. also tried from different locations and OS
Who's Defending Your Organization from Threats?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Hey Guys,

Bit of a weird issue here.
I have a sonicwall TZ200, it is doing DHCP for the VPN users, it also does VPN for the LAN users.
This is a simple one subnet network and two interface firewall. 1 LAN and 1 WAN.

Strange thing is I have managed to get the VPN connecting for my test user, we are using global vpn client.
We are getting massive packet loss, I am pinging things on the lan and losing like 75% of packets.
Funny thing is some are going through, but all have big lag attached.

Unsure of what the issue is really yet.
My first thoughts are to do the below.
1) Use a manual IP on the virtual adapter
2) Change the version of sonicwall global vpn client

Am using a windows 10 laptop for my test user who is connecting.
We are reviewing our internet connectivity to a view of simplifying and improving performance and security.  We currently have 3 sites with Cisco routers and ASA firewalls on-premise running IPSec between them, with remote user VPNs terminating on two of them.  We are not running any additional services on the firewalls.  We also run SIP trunks into one of the offices which traverses to another.  QoS on the routers and on-premise switches.  Voice works well.
Still running many systems on prem and only have o365, no AWS/Azure yet..
We are looking at MPLS.  Would this be a better fit?  What about VPLS, SDWan or sticking with on-premise firewalls with IPsec?  
Any suggestions would be great.  
Hello All,

I found "IPsec (ESP) packet dropped" events in attempts section in Sonicwall GMS.
Can anyone help me to resolve this issue.

Yogiraj Pattani
Hello EE,

Our VPN firewall prevents ipV6 (blocks) so our Visual Studio debugger is failing to connect.
I wonder if anyone knows of a way in Visual Studio to turn off ipV6 and only use IPv4.
Does anyone know why the IPSec tunnel would show one way encapsulation? This is typically a routing issue but I checked the routing table and the remote network is there and it is send to the tunnel interface.

I am attaching the screenshot.

TLDR:  after a period of time ARP from  devices in a layer 2 connected VLAN quit registering on our SD-WAN edge device, stopping them from traversing that edge or being routed by that edge.

SD-WAN edge:  Velocloud Edge 540 (problem has persisted through numerous firmware revisions)
Cisco Stack:  1 Cisco SG500X-48 and 5 Cisco SG500X-48P’s connected loop/chain stack configuration using SFP+ fiber connectors. (also firmware updated more than once).

VC is the router/firewall SD-WAN with redundant internet connections that establishes edge to edge IPSEC tunnels and tunnel to our internet gateway.
The Cisco stack connects 10 VLAN’s to the VC but is not doing any routing or firewall activities.  The Cisco has 2 management IP interfaces in those VLANS (1 and 318), the rest are purely layer 2 connected.
Cisco interface to VC is set:
interface gigabitethernet1/1/8
 description VC-StackConnection
 switchport trunk allowed vlan add (necessary vlans)
 switchport default-vlan tagged (default-vlan being 1)

The VC is set:
Mode: Trunk
Drop Untagged

After an unspecified amount of time (2 weeks to 6 weeks) at our HQ location where the equipment is located, most or all of the devices in some of the layer 2 connected VLAN’s cannot communicate externally.   Internal communication work as expected (same broadcast domain) for the most part.   Sometimes…
I'm fairly new to VPN services so I don't really know what's happening and why.

I am trying to connect 3 remote sites to HQ by using site-to-site VPN and have managed to get 2 working.
The 3th one won't come online and I cant really figure out why, I have used the exact same config on all 3 routers (Vigor2925) for Outbound connections (except for local subnet ofcourse) and the same inboud settings for HQ router (also Vigor2925).

When I check the syslog on the remote site, it gives the following error:
[IPSEC][L2L][1:Wessem-Out][@WAN IP] IKE link timeout: state linking

On HQ I keep getting this one:
Responding to Main Mode from <WAN IP REMOTE SITE>
Accept Phase1 prorosals : ENCR OAKLEY_DES_CBC, HASH OAKLEY_MD5

Can someone maybe explain what im doing wrong??
Hi Guys

I need to find a way to allow the network to be reached from – networks. Given little documentation, I need the help to allow for communication between the networks, trying to achieve the below (sorry, I know it is sketchy) >>> PING >>>> >>> PING >>>> >>> PING >>>> >>> PING >>>>

The below is .conf file I pulled from our OpenSwan 2.2.6, this .conf file is for our network (the network is similar)
conn ifly-pen
You can see, the leftsubnets allows for communication to the network from the network. However, in the network, when I ping the IP address I get no response, see Ping.png and Tracert.png
Our OpenSwan IP is and it is a VM in AWS, you can see the above is routing through the (on the network, router), through to the but then goes …
Hello, I started to configure a PFSense, version 2.4.1. I want to know if it is possible to configure an IPsec multi-WAN failover

Has anyone had any experience configuring this? I already configured the DUAL WAN Failover on the PFSense

I would like that the VPN tunnel can be able to stay up if the WAN fails over.

Thanks in advance
[Video] Create a Disruption-Free Workspace
[Video] Create a Disruption-Free Workspace

Open offices have their challenges. And Sometimes, it's even hard to work at work. It's time to reclaim your office and create a disruption-free workspace. With the MB 660, you can:

-Increase Concentration
-Improve well-being
-Boost Productivity

Hi friends,

I'm getting very worried because a few days ago I've been posting the same doubt and editing the text to make it clearer, but I have no response from the Experts Exchange or any other Expert (there's a lot of good ones here)... I've been a Experts Exchange subscriber for over 5 years now... and never before have I been without the help of the experts ... I do not understand why it was left in oblivion.

Well... lets get to the point...

Please, I need to connect a strongswan VPN (my side) with another VPN software (other side) but the admin from "the other side doesn't provides enough info... so I'm trying to figure out and troubleshoot this with trial and error... already for many days and a lot of migraines...

They (the other side) provide me a PSK (OK)... already configured in ipsec.secrets and they also gave me the following instructions:  

1st Phase (IKE V2)                                          
DH 2 = 1024 bits                                           
Lifetime = 1440m                                           
2nd Phase (ESP)                                          
PFS - DH 2 - 1024 bits                                          
Lifetime = 3600s

My question is (please): how do I configure this specific connection? especially the parameters ike and esp; anything else is needed in the configuration example below?

conn myside-otherside
Hi All,

We have two Cisco ASA 5505 Firewalls that are running a site to site VPN, one is in China the other is in the UK. The China ASA is the initiator.

This isn't something I set up it was something that was set up years ago and it has been working perfectly until about 6 weeks ago when one day it just stopped. If I try to ping a host from China to Manchester I can see MM_WAIT_MSG2 on the China ASA and MM_WAIT_MSG3 on the UK side but it never gets any further.

No config was changed it simply stopped working one day. I'm fairly new to Cisco. I could see that the time was out on the China side so I corrected this without success. Below is a snippet from each ASA that I think is relevant to the VPN. Can anyone offer any suggestions?

----- China ------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 195.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200

------ UK --------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 202.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
We have multiple branches and sites that are connected to main Data Centre. As for now the WAN is protected (traffic is encrypted via IPSec). Objective: I want to make sure that all traffic when it leave the host is also encrypted. There should be no gap (un-encrypted data in motion) regardless within the LAN or WAN.
The concerns from the network engineer, is that if we implement Host to Host IPSec, it will be a tunnel within tunnel. It will decrease network performance.
How do we ensure all the traffic are encrypted? Any other available solutions?
I have several colleagues complaining that when they are on VPN - when they download something - the download stop in around 75mb.  It then gives a network error.  Users can resume the download - but again causing issues.

Is there a setting in Dell Sonicwall restricting this?

Pretty sure there is no GPO setup
I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip x.x.x.x
access-list inside_nat2_outbound extended permit ip x.x.x.x
access-list outside_7_cryptomap extended permit ip x.x.x.x
access-list outside_7_cryptomap extended permit ip x.x.x.x
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group …
This applies to TLS as well ass IPSec.

The purpose of the Diffie Hellman key exchange is to agree on a shared secret without sending it on the wire. I have always believed that every DH-session is unique with random large primes. Is DH using the same numbers every time when conneting to the same peer/device/server?

The reason for my question is that I read that PFS (Perfect Forward Secrecy) is being used on top of DH to make sure that the key is unique for every session.

Why PFS when we have DH? Does not compute. :)

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security