Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I wanted to test and eventually use our router's (PepLink Balance One) build in VPN server to access resources on the network for users.
After setting up the VPN server (in the router the feature is called Remote User Access) I choose L2TP with IPsec.
On the client side I used the Windows 10 built in VPN Connection option and after a few tweakings I succeeded in connecting to the server from an outside network.
The problem is that I could only connect to one share, using the file server's internal IP address 192.168.0.x. Cannot access (or ping) anything by the NetBIOS name.
Next step I changed the protocol to PPTP on the server and managed to connect with the client, however still not able to access resources, except by IP address \\<Internal IP address>\Share.
Just as a side note, we don't have a domain, just peer to peer.
0
Announcing the Winners!
LVL 13
Announcing the Winners!

The results are in for the 15th Annual Expert Awards! Congratulations to the winners, and thank you to everyone who participated in the nominations. We are so grateful for the valuable contributions experts make on a daily basis. Click to read more about this year’s recipients!

We have a site to site VPN tunnel which has been performing well for 4 years.  We are seeing increased traffic this week and are seeing select devices unable to reliably access the tunnel for periods of several minutes to several hours while other devices are able to connect across the tunnel.

The VPN tunnel is used to access a terminal server in a remote site using handheld computers running Windows CE.  We typcially have 12 devices deployed.  Currently we have 18 devices deployed for a 2 week project.

We are seeing that during peak times (more users connected to the RDP server) select devices will be unable to connect.  Pings from the affected device will range from 100% loss to 0%.  The ping failure rate fluctuates.  Users may sometimes connect to the RDP server for a few minutes before being disconnected again.

This problem seems to last between 10 - 120 minutes.

I have taken packet captures at the ASA and see that both ICMP and RDP packets are arriving on the inside interface - the portable computer having the problem is transmitting correctly.

My problem is how do I ensure the ASA is encapsulating these packets and sending them out the Outside interface reliably.  I have taken packet captures on the outside interface but do not know of a way to match these encapsulated packets up to those originating from the problem computer.

I have reviewed: Show crypto ipsec sa

 #pkts encaps: 9228711, #pkts encrypt: 9228711, #pkts digest: 9228711
      

Open in new window

0
I've just bought a DrayTek Vigor2620Ln (ADSL/VDSL router/firewall with backup WAN port and 4G LTE modem built in - UK version)

I want to be able to create a site-to-site (or LAN to LAN in DrayTek's terminology) VPN via an IPSec tunnel to a Netgear ProSafe firewall I have running at another site. Simultaneously I want to be able to access a L2TP VPN Server running on Windows 2012 RRAS (behind the DrayTek at primary site), via passthrough when I'm out and about.

Having created the site-to-site VPN with a few issues along the way, I have got it working. I have also got the L2TP VPN passthrough working so I can connect from my Windows laptop when away from the main network. HOWEVER, it seems impossible to get both working at the same time. For the site-to-site to work, I have to tick the 'Enable IPSec VPN Service' under the Remote Access Control settings on the Draytek. But once I do this, passthrough of the L2TP Windows VPN fails. If I untick, it is the other way around with the Site-to-site failing and the L2TP passthrough working.

I suspect someone out there will confirm DrayTek routers simply cannot both have a site to site and L2TP passthrough connection connected simultaneously (I momentarily achieved it once, on initial bootup). I appreciate both VPN types use IPSec, however every single Netgear and Linksys router I've owned and used to date has been able to do both simultaneously with zero problems. I'm hopeful I'm missing something, but fear I'm not and the …
0
hi both on same asa firewall - remote access vpn already in place

can i also add site to site  vpn? thanks
0
I have 13 IPSec VPNs that are set up and working on a VMWare NSX Edge. The remote sites are all Sophos XG Firewalls. They used to connect to a Sophos firewall. In the earlier scenario, there was a VPN to VPN rule that joined all the Sophos IP Sec connections together in a hub and spoke network design. One could see devices between Atlanta to Orlando, for example.

Now I have them all connected successfully to the VMWare NSX Edge firewall. I have 2 rules for each location on the NSX.  For example, NSX to Atlanta and the reciprocal Atlanta to NSX.

I'd like for traffic to be seen from one location, like Atlanta, through the NSX Edge to Orlando.
On each Sophos connection to the Edge, I've added the remote networks I'd like to add to the Edge connection.  
In the previous all Sophos configuration, at the "hub" Sophos, a rule of VPN to VPN was in place to make this happen.
But I think I'm missing something on the NSX Edge to allow for Atlanta to "see" Orlando.

I have added reciprocal rules of Atlanta to Orlando and vice versa on the NSX but that is not working.
0
Hi,
We have a VPN IP SEC between to ASA, the VPN works fine, but it loses connection a lot of times in a day, the underground network looks fine.

When we check log we find this message:
%ASA-session-7-710006: ESP request discarded from X TO Y
(you can check all the logs in the attached file)

Can you tell me what exactly this message means and how the problem can be fixed?
esp-disc.rtf
0
Hi Expert

good day

i having issue to export the IPSEC certifcation , i have try to follow the following steps;


# pk12util -o <certoutputname>.pfx -n <name of certifcate to be extracted> -d sql:/etc/ipsec.d
Enter password for PKCS12 file:
Re-enter password:

Question refer to the above, where can i find "<certoutputname.pfx>" and <name of certifcate to be extracted> ?

Many thanks
0
In a conversation in a get together last night, it was stated that if an outside person illegally connects to ones internet cable line (that is cut and attach to main line that connects to ones’  home), will be able to see everything one navigate to.  I understand that it doesn’t work like, by connecting to ones Wi-Fi they can spy on one, etc.   But the person said a bunch of tech words so I wanted to know what EE has to say.  Can a person by connecting to ones cable line have access to ones web access and see all?

Thank u.
0
I really dislike the json way to handle multiple public IPs on USG. The edgerouter has much more friendlier use with multiple IPs but the USG has more security features I'm into for my clients.  What is the best way to set up a ipsec site to site from outside to reach any of the USGPRO LAN# spaces when it sits behind another router (ER6P)

Site1 ---> ER6P (Internet) eth0 192.0.0.1/24 --- eth1 10.1.1.1/24 ----> USGPRO WAN 10.1.1.2/24 --- LAN1 10.10.1.1/24
Site2 ---> ER6P (Internet) eth0 192.2.2.1/24 --- eth1 10.2.2.1/24 ----> USGPRO WAN 10.2.2.2/24 --- LAN1 10.20.2.1/24

Currently right now I'm seeing the USGPRO WAN (10.1.1.2 or 10.2.2.2) when sourcing on either end of the tunnel instead of the real IP from their LAN#.  That not's good when needing to restrict IP's with multiple ipsec tunnels.
0
Dear Wizards, we are testing the VPN connection (L2TP/IPSec) from client Win10 PC to VPN Server (Synology). These are the settings:

L2TP.JPG
client.JPG
we tried to connect but could not, can you help?
0
Exploring ASP.NET Core: Fundamentals
LVL 13
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

hi i am seeking help with connecting to ipsec vpn
my vpn was working until i upgraded my macbook to High Sierra 10.13.14
now when i try to VPN i get this error "An unexpected error occurred, Try reconnecting if the problem continues verify the setting and contact your administrator"
i checked the ppp.log and the last date was May 8th with an error IPSec connection failed <IKE Error 65535 ()xFFFF) Unknown error>

nothing really is showing up in system.log when i try to connect to vpn


i have other MacBooks in my environment and they can connect via VPN, i reset the PR RAM and tried testing in verbose mode but stll same result

any help would be great-fully appreciated
0
I have a Fortigate 80D firewall, with FortiOS version 6.2.0, lately upgraded. The user remote access was configured using IPsec VPN, and handled by Forticlient. In previous versions, it was working without any problem. But now, users can connect, but can no more access network resources.
The only thing that was performed, was enabling IPv4 Split Tunnel.
I wonder what i can do to re-establish a correct connection using FortiClient
Thanks for help
0
I have a simple setup... I have enabled the draytek L2TP with IPsec VPN which works fine.

I have a server on site which i access using \\IP-MAINSERVER
The issue is that when I am off site and I VPN in, I cant access the server using \\IP-MAINSERVER, I have to use the IP address.

Why is this?
0
Hi
   
I would like to know your opinion on the following questions:
   
1)    What are the contras of the CVSS Scoring System, compared to many other systems?
2)    Where did you hit limits while working with CVSS Scoring System?
3)    What must be considered in which scenarios?

Thanks a lot for your feedback.
0
Hi Guys,

We have recently setup a 3 way VPN. one HQ and 2 Branches. 2 sites are configured with NBN and fibre 400. One site is with ADSL2+. IPsec VPN between NBN site and Fibre400 is working fine. But, the ADSL2+ site is showing that the VPN is configured and online but, not able to ping any IP either way. Any idea why?

Regards,

Ajoy
0
In an ISR at a client, they have a Cisco ISR with a VPN tunnel to a business partner. What I'm wondering is why they might have two peers
in sequence number 10 and one peer (which also appears in sequence 10) in the second sequence number. The original setter upper is
long gone. Is SEQ 10 saying try to connect to 169.45.97.62 but if you can't, connect to 169.45.95.222? If that's the case, why would there
be a need for a SEQ 20 which then again references 169.45.97.62? Any thoughts on what the original intent was are appreciated. I would
think you'd just want one peer in sequence 10 and then one peer in sequence 20. ?

crypto map ACMEDYNO 10 ipsec-isakmp
 set peer 169.45.97.62
 set peer 169.45.95.222
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-LA
crypto map ACMEDYNO 20 ipsec-isakmp
 set peer 169.45.107.62
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-DL
0
Hi,

TIA

I have 2 cisco routers which I am having problems VPNing between.

RV340W, firmware 1.0.02.16
IPSec Profiles
keying mode auto
ike version 1

Phose 1
DH Group 2 - 1024 bit
Encryption 3DES
Auth SHA1
SA lifetime 28800

Phase 2
Protocol Selection ESP
Encryption 3DES
Auth SHA1
SA Lifetime 28800
PFS enabled
DH Group 2 - 1024 bit

Site to Site
Enabled
IPSec Profile - points to above settings
int WAN1
Remote endpoint Static IP
remote IP entered

Remote IKE Auth Method
Pre-shared key, complexity disabled, 14 digit key enterd

Local Group Setup
Local Intendifier type - Local WAN  IP
Local ID - Local IP Address
Local IP Type - Subnet
IP address - *.*.*.0 (local subnet)
Subnet mask - 25.255.255.0

Remote Group Setup
Remote ID TYpe - Remote WAN IP
Remote ID - remote IP address
Remote IP Type - subnet
IP Address - *.*.*.0 (remote subnet IP)
subnet mask 255.255.255.0


2nd routers

Cisco RV180W

IKE Policy
Direction/type - both
exchange mode - main

Local
ID Type - Local WAN IP

Remote
ID Type - Remote WAN IP

IKE SA Parameters
Encryption algorithm 3DES
Auth Algorithm SHA1
Auth method  Pre Shared key
Pre shared key entered
DH Group 2 1024 bit
SA Lifetime 28800
Dead Peer Detection enabled
det period 10
reconnect after 3

Extended auth
none



VPN Policy

Policy type - auto
remote endpoint - ip address
remote ip entered
NetBIOS enabled

Local Traffice selection
local ip subnet
start address - …
0
In an environment in which two Smoothwalls are deployed, they are connected through an IPSec tunnel and all ports are open.  One separate Windows domain are deployed behind each Smoothwall for a total of 2 Domains.  A Domain trust has been established between the two domains and they say they are functioning fine, but users can't log into their AD accounts if they are behind the Smoothwall of the second Domain.  Functioning level is Windows Server 2003 it says and these are Windows Server 2008 R2 Domain controllers.  Does this trust need to be reestablished and functioning level raised?
0
Relationship between OWIN and OATH?

How do they relate?

Thanks
0
PMI ACP® Project Management
LVL 13
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Token Based Authentication and the .NET Stack

What can you tell me about the built-in capabilities of .NET Stack to use Token Based Authentication  and also Token Based Authentication in general??
0
After upgrading ASA5520 (Main office) and ASA5505 (Remote office) from 8.2 to 8.4 (and attempting to re-learn NAT) the site to site VPN is no longer passing traffic. The IPSec tunnel is up. Fairly sure it have something to do with the changes in 8.2-8.4 but not sure what. Main office is on its own dedicated fiber DIA and remote office is on cable modem (bridged) with static IP.

Here is a parsed config showing the relevant bits from the remote office side:

ASA Version 8.4(3) 
!
interface Vlan1
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.0.254 255.255.255.0 
!
object network NAT-Inside
 subnet 0.0.0.0 0.0.0.0
object network Main-Office
 subnet 192.168.1.0 255.255.255.0
object network Remote-Office
 subnet 192.168.0.0 255.255.255.0
!
access-list outside_cryptomap extended permit ip object Remote-Office object Main-Office 
!
nat (inside,outside) source static Remote-Office Remote-Office destination static Main-Office Main-Office no-proxy-arp route-lookup
!
object network NAT-Inside
 nat (inside,outside) dynamic interface
!
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 209.69.xxx.xxx 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 

Open in new window

0
Have anyone used Colortokens https://colortokens.com/
what do the do exactly and what do they do for data center and endpoint security?
0
Updating my domain (on GoDaddy) to NOT point to my site

I guess I have two options, point it to a broken IP address, at which point GoDaddy will display a "URL not found" type of error.

Another is to point at their default "Coming Soon" website.

I think I prefer the broken URL option.

How do I make my domain to point to nothing?

Thanks
0
Digital Certificates have been a mystery to me.  I am starting to understand them better with more exposure to them; but....

 I want to understand how I can associate w Domain name for my work's Wireless Controller (Wlan.Company.com) with the new Wireless controller?  Right now my manager uploaded something to the Wireless controller so I can type https://City.Wlan.company.com and arrive to the Wireless controller's administrator web page.

The same wireless controller provides a captive portal for Guest WiFi.  The Guest WiFi web portal currently shows https://Controller_IP_Address/cgi...welcome?  I would like to have the Domain_Name = Wlan/Company.com    show up in the web address instead of the Controller's IP address.

How can we make this happen?  I think we have a digital certificate; but, I think it is something that we created at the company.
0
Example of Web Tokens

I am sure I have worked with these, but please give an overview.

Also, it would great if you could also include a .NET perspective

Thanks.
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>