Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I need a combination of best practices and a description of how the underlying exploitations of cross site scripting attacks work.

I have a domain that is spread out over 15 plus offices scattered around the globe.  All the offices have IPSec connectivity back into Corporate.  Each of the satellite offices has a domain controller onsite.   My problem is this.   When I do a nslookup from our corporate site to, or attempt to ping or resolve from corporate, I am getting routed to any of the other domain controllers and not specifically to the ones located on my site.    This is also happening on my other sites.   For example, in Australia, where I have a DC and DNS server, I get resolution to other offices when referencing the domain.    What I want is when I am in an office is for the system to resolve the domain to the local servers first and only pass  to another location should the local devices be unavailable.   We have setup this in sites and services and thought we had it, but DNS just isn't cooperating.

I had created a SITE to SITE VPN between a PFSENSE anda Sonic Wall TZ400.The VPN is up no problem. The only thing is that I cannot open ressources like folders, rdp or ping from one side to another. Anybody knows where I should look to fix this issu?

I've got single person in an office location who needs to access a lob application at site A and a different lob application at site B via RDP.

Site A and B don't need to communicate with one another.  

What would the most efficient and cost effective way to be to accomplish this, preferably using Sonicwall equipment?
We're using a Cisco RV320 at one of our locations.
It's primarily used for two Hardware VPN's using IPSec.  Tunnel 1 goes to our hosted server (which has no issues) and Tunnel 2 goes to a Rogers hosted server.

Recently, the Rogers hosted server location changed their WAN IP.  Therefore, I rebuilt Tunnel 2 to point to the new WAN IP and was able to establish the connection and the Tunnel went UP.  All remote LAN IP's and IPSec protocols remained the same, the only change was the WAN IP.

Since this change, accessing remote server resources on Tunnel 2 is intermittent.  i.e in the morning it will be inaccessible, but a few hours in the afternoon it will be accessible  During this whole time, VPN Tunnel 2 remains UP and doesn't go down, we just cannot communicate with the Remote LAN IP....

I asked the Rogers tech to change back to the old Remote WAN IP for testing.  As soon as we changed back to the old Remote WAN IP, all resources became available again.....  We then changed back to the new Remote WAN IP and server resources once again became unavailable.  During these VPN changes, I've made sure to reboot our Cisco RV320 numerous time's as well as rebuilt this tunnel.

In addition to this, we have 4 other locations with the same Cisco RV320 on the same firmware connecting to the old Remote WAN IP of the Rogers hosted server.  We briefly tested the remote WAN IP change on another router's Tunnel 2, and the same issue occurred as it did on the other one.

My …
The Sonicwall OS is 5.x. This is just the base router, no extra licenses for IPS, malware etc... I recently setup L2TP VPN for a couple users - using long and complex Pre-shared secret and each have a very long and complex password... I have been blocking obvious attempts from just IP addresses trying to access a webcam port using the info I found on how to do that - but blocking an IP address from WAN  - doesn't seem to affect efforts of a couple outsiders trying to access via L2TP - I see the failed messages from the different stages... but they keep trying - and added their IPs to my 'Blocked IPs' address object group has no effect.
I want to be able to deny them access to even try to authenticate and get them out of the logs - like blocking IP addresses.
Anyone savvy on the SonicWALL as to how to prevent attempted L2TP connections from undesired sources? Is there a way to create access rules to block from L2TP to ANY or LAN, we have the network on the X0 interface.
My understanding is there is a VPN access list on the SonicWALL - but it does not apply to L2TP.
Thank you!
Dear Experts,

mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key iocTOcioc address
crypto ipsec transform-set transet esp-3des esp-md5-hmac
 mode transport
crypto ipsec profile vpn-profile
 set transform-set transet

I have these commands but they are not recognize for the ISR 4321, are there alternate commands?
I have several Dell SonicWALL's in service but with one of them,  a TZ205 wireless-N, I can't remotely manage the Sonicwall.  I can connect to all computers at this remote location from a VPN tunnel, Site to Site.  If I connect to a PC behind that SonicWall I can then connect and manage the SonicWall.  This is an extra step that I don't want to have to deal with.

I've compared settings to my other SonicWalls's but none are the exact same model.  As far as I can tell everything is the same.

What am I missing?
I got a /23 public subnet from my provider with their gateway within that subnet x.x.91.1/23. I configured my FW with an IP address from that subnet x.x.90.1 and ping is allowed on the FW outside interface, I am trying to setup a IPSec vpn from this site back to the HQ. From HQ and my PC at home, I can ping their gateway x.x.91.1 but cannot ping  x.x.90.1. I checked in looking glass bgp table and that subnet is routable on the Internet.
They said that everything is configured correctly on their end and the issue is from my end. I am not sure I agree with them but I am not sure how to validate my argument. Thanks
I am trying to submit a form on nyc (New York City) website I get a error

You are coming from an invalid URL. Your request will not be processed. Please go to policy does not allow you to test online forms from remote servers or hard drives.

I tried IE Chrome and  Mozilla all the same results, except that in Mozilla when clicking submit I get a msg

The information you have entered on this page will be sent over an insecure connection and could be read by a third party and provides the following link

It is not related to a antivirus  program since I uninstalled all and had the same result. also tried from different locations and OS
Hey Guys,

Bit of a weird issue here.
I have a sonicwall TZ200, it is doing DHCP for the VPN users, it also does VPN for the LAN users.
This is a simple one subnet network and two interface firewall. 1 LAN and 1 WAN.

Strange thing is I have managed to get the VPN connecting for my test user, we are using global vpn client.
We are getting massive packet loss, I am pinging things on the lan and losing like 75% of packets.
Funny thing is some are going through, but all have big lag attached.

Unsure of what the issue is really yet.
My first thoughts are to do the below.
1) Use a manual IP on the virtual adapter
2) Change the version of sonicwall global vpn client

Am using a windows 10 laptop for my test user who is connecting.
We are reviewing our internet connectivity to a view of simplifying and improving performance and security.  We currently have 3 sites with Cisco routers and ASA firewalls on-premise running IPSec between them, with remote user VPNs terminating on two of them.  We are not running any additional services on the firewalls.  We also run SIP trunks into one of the offices which traverses to another.  QoS on the routers and on-premise switches.  Voice works well.
Still running many systems on prem and only have o365, no AWS/Azure yet..
We are looking at MPLS.  Would this be a better fit?  What about VPLS, SDWan or sticking with on-premise firewalls with IPsec?  
Any suggestions would be great.  
Hello All,

I found "IPsec (ESP) packet dropped" events in attempts section in Sonicwall GMS.
Can anyone help me to resolve this issue.

Yogiraj Pattani
Hello EE,

Our VPN firewall prevents ipV6 (blocks) so our Visual Studio debugger is failing to connect.
I wonder if anyone knows of a way in Visual Studio to turn off ipV6 and only use IPv4.
Does anyone know why the IPSec tunnel would show one way encapsulation? This is typically a routing issue but I checked the routing table and the remote network is there and it is send to the tunnel interface.

I am attaching the screenshot.

TLDR:  after a period of time ARP from  devices in a layer 2 connected VLAN quit registering on our SD-WAN edge device, stopping them from traversing that edge or being routed by that edge.

SD-WAN edge:  Velocloud Edge 540 (problem has persisted through numerous firmware revisions)
Cisco Stack:  1 Cisco SG500X-48 and 5 Cisco SG500X-48P’s connected loop/chain stack configuration using SFP+ fiber connectors. (also firmware updated more than once).

VC is the router/firewall SD-WAN with redundant internet connections that establishes edge to edge IPSEC tunnels and tunnel to our internet gateway.
The Cisco stack connects 10 VLAN’s to the VC but is not doing any routing or firewall activities.  The Cisco has 2 management IP interfaces in those VLANS (1 and 318), the rest are purely layer 2 connected.
Cisco interface to VC is set:
interface gigabitethernet1/1/8
 description VC-StackConnection
 switchport trunk allowed vlan add (necessary vlans)
 switchport default-vlan tagged (default-vlan being 1)

The VC is set:
Mode: Trunk
Drop Untagged

After an unspecified amount of time (2 weeks to 6 weeks) at our HQ location where the equipment is located, most or all of the devices in some of the layer 2 connected VLAN’s cannot communicate externally.   Internal communication work as expected (same broadcast domain) for the most part.   Sometimes…
I'm fairly new to VPN services so I don't really know what's happening and why.

I am trying to connect 3 remote sites to HQ by using site-to-site VPN and have managed to get 2 working.
The 3th one won't come online and I cant really figure out why, I have used the exact same config on all 3 routers (Vigor2925) for Outbound connections (except for local subnet ofcourse) and the same inboud settings for HQ router (also Vigor2925).

When I check the syslog on the remote site, it gives the following error:
[IPSEC][L2L][1:Wessem-Out][@WAN IP] IKE link timeout: state linking

On HQ I keep getting this one:
Responding to Main Mode from <WAN IP REMOTE SITE>
Accept Phase1 prorosals : ENCR OAKLEY_DES_CBC, HASH OAKLEY_MD5

Can someone maybe explain what im doing wrong??
Hi Guys

I need to find a way to allow the network to be reached from – networks. Given little documentation, I need the help to allow for communication between the networks, trying to achieve the below (sorry, I know it is sketchy) >>> PING >>>> >>> PING >>>> >>> PING >>>> >>> PING >>>>

The below is .conf file I pulled from our OpenSwan 2.2.6, this .conf file is for our network (the network is similar)
conn ifly-pen
You can see, the leftsubnets allows for communication to the network from the network. However, in the network, when I ping the IP address I get no response, see Ping.png and Tracert.png
Our OpenSwan IP is and it is a VM in AWS, you can see the above is routing through the (on the network, router), through to the but then goes …
Hi friends,

I'm getting very worried because a few days ago I've been posting the same doubt and editing the text to make it clearer, but I have no response from the Experts Exchange or any other Expert (there's a lot of good ones here)... I've been a Experts Exchange subscriber for over 5 years now... and never before have I been without the help of the experts ... I do not understand why it was left in oblivion.

Well... lets get to the point...

Please, I need to connect a strongswan VPN (my side) with another VPN software (other side) but the admin from "the other side doesn't provides enough info... so I'm trying to figure out and troubleshoot this with trial and error... already for many days and a lot of migraines...

They (the other side) provide me a PSK (OK)... already configured in ipsec.secrets and they also gave me the following instructions:  

1st Phase (IKE V2)                                          
DH 2 = 1024 bits                                           
Lifetime = 1440m                                           
2nd Phase (ESP)                                          
PFS - DH 2 - 1024 bits                                          
Lifetime = 3600s

My question is (please): how do I configure this specific connection? especially the parameters ike and esp; anything else is needed in the configuration example below?

conn myside-otherside
I have several colleagues complaining that when they are on VPN - when they download something - the download stop in around 75mb.  It then gives a network error.  Users can resume the download - but again causing issues.

Is there a setting in Dell Sonicwall restricting this?

Pretty sure there is no GPO setup
I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip x.x.x.x
access-list inside_nat2_outbound extended permit ip x.x.x.x
access-list outside_7_cryptomap extended permit ip x.x.x.x
access-list outside_7_cryptomap extended permit ip x.x.x.x
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group …
This applies to TLS as well ass IPSec.

The purpose of the Diffie Hellman key exchange is to agree on a shared secret without sending it on the wire. I have always believed that every DH-session is unique with random large primes. Is DH using the same numbers every time when conneting to the same peer/device/server?

The reason for my question is that I read that PFS (Perfect Forward Secrecy) is being used on top of DH to make sure that the key is unique for every session.

Why PFS when we have DH? Does not compute. :)
It should satisfy the following conditions:
1. Capable of 75Mbs bandwidth
2. Up to 25 users
3. Its VPN client must flawlessly work on all client machines including Linux and all modern Windows versions.
4. Costs less that $500

Currently we use a Sonicwall TZ170, its maximum bandwidth is just 25Mbs
If I configure sonic wall tz300 to get WAN ip from Comcast GW DHCP, will I still be able to configure the VPN for remote access?   I am mulling several different topologies, and if this could work this seems like the easiest way.
I have a load balancer with a public VIP. The partner can only get the site if they ignore that they perceive the site as unsafe.
I’m fairly the certain my very is valid because other VIPs use it. What are some reasons a client might not trust the cert? Brain storming question.

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.