Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have several colleagues complaining that when they are on VPN - when they download something - the download stop in around 75mb.  It then gives a network error.  Users can resume the download - but again causing issues.

Is there a setting in Dell Sonicwall restricting this?

Pretty sure there is no GPO setup
0
I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group …
0
This applies to TLS as well ass IPSec.

The purpose of the Diffie Hellman key exchange is to agree on a shared secret without sending it on the wire. I have always believed that every DH-session is unique with random large primes. Is DH using the same numbers every time when conneting to the same peer/device/server?

The reason for my question is that I read that PFS (Perfect Forward Secrecy) is being used on top of DH to make sure that the key is unique for every session.

Why PFS when we have DH? Does not compute. :)
0
It should satisfy the following conditions:
1. Capable of 75Mbs bandwidth
2. Up to 25 users
3. Its VPN client must flawlessly work on all client machines including Linux and all modern Windows versions.
4. Costs less that $500

Currently we use a Sonicwall TZ170, its maximum bandwidth is just 25Mbs
0
If I configure sonic wall tz300 to get WAN ip from Comcast GW DHCP, will I still be able to configure the VPN for remote access?   I am mulling several different topologies, and if this could work this seems like the easiest way.
0
I have a load balancer with a public VIP. The partner can only get the site if they ignore that they perceive the site as unsafe.
I’m fairly the certain my very is valid because other VIPs use it. What are some reasons a client might not trust the cert? Brain storming question.
0
My issue is we set some cookies, using JS, with a 1 year expiration and that particular cookie didn't have the secure flag set. We now want to update the cookies to have the secure flag set. The code that creates the cookies now has the "secure" attribute and all new cookies have the "secure" flag. The issue is how do I update existing cookies? I'm assuming I have to destroy the cookie and then recreate it with the secure flag set? I don't know if there is any other way to do this? Also is there a way using JavaScript to detect if the cookie does have the flag set before deleting it?

Thanks!
0
We have ten gigabit interfaces. How much tunneled traffic would the device be able to push?
0
Visited a client site and ran various ‘my ip address’ site to determine what is the External IP address the provider assigned.  Noticed that each device resulted a different value.  For example their phone and their tablet gave different values where that last segment changed (xxx.xxx.xxx.19 and xxx.xxx.xxx.20), yet when we ran myipaddress in our device gave a whole different value in all segments.

We understand that the internet provider assign the cable modem or location a single dynamic external ip.  The location router managed a total different internal ip sequence values and assigns it to each device connecting to the wifi or router within the location.  Thus the cable modem has 1 IP address and the devices within the location has different ip address.

Why would the “my IP address” website display different IP address in all devices connected to the same wifi?
0
Goal: Allow a user to connect to his desktop computer with RDP  ONLY after connecting vpn.

Environment:   OPNsense/Pfsense firewall
53,25,80,443 allow through firewall-
Currently can successfully rdp  with or without VPN with port forwarding - suspect traffic is hitting the fw on public int/public static  and not the desired private Ip a range allocated VPN connection.

User successfully connects to vpn, receives ip, but cant access local resources.
The client side vpn registers an IP address, the FW sees the connection- Just doesn't seem to allow traffic from vpn to local network

The IP range assigned to vpn  connections 10.  the local ip range is 192.

help
0
My son's computer keeps having internet connection issues.

-Is playing on a minecract server / minecraft client

Sometimes these apps are also open
-Twitch
-Discord

He is playing on a minecraft server.  and begins to experience lag more and more frequently before the crash.
Is there any way to track down the culprit?  We could assume that it is not enough RAM and go buy more RAM and the problem happens again and we are no better off.

I am looking for a way to gather information that can help tells us what thing( s ) is causing the problem(  s  )

sys info 2systxt.txt
0
hi everyone,

I have facing problems to configuration my domain. users internet permission I have used hosts files but not enough for me what is suitable thing for configuration of URLs

what about firewalls what is the best firewall for filtering the URLs ...


looking forward for reply urgent..


thanks
Asad
IT student
0
Hello
We have an IPSec VPN solution for a small number of sites.  Our users remote into two of the sites via IPSec VPN too.
We are going to move supplier and looking at moving from IPSec to MPLS.  We will look to migrate to AWS and/or move CRM out to other providers.  We also will moving from our on prem phone system to a cloud solution.
Has anyone got any recomendation around security, perfornance, limitation etc of each?
Thanks
0
Is there a way to find out who owns a domain even if they have domain Privacy added to their site?
0
VPN literally just stopped working for all of our users. No changes that I am aware of. Simple MS VPN connection to a VPN server.

Server side error:
 VPN2-112: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.
PC/Workstation off Network connection error:
Error 619: A connection to the remote computer could not be established, so the port for this connection was closed.

Server-side:
Windows firewall and anything that could be blocking is off. I see the users hit the network via Firepower but then the "Error 619".
If I truly need to provide them with a workstation cert, how do I go about doing this and efficiently for several people.

TIA
0
Hi All,

Im running an ASR 1000 with version XE 3.13.01.S (15.4(3)S1). Does it support SHA256 and AES256 for ikev1? I know it does for ikev2 but I am not sure about ikev1 both phase 1 and phase 2.
Here is what I found on a cisco website: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

"Support for the NGE control plane (ECDH and ECDSA) has been introduced with Version XE3.7 (15.2(4)S). Initial control plane SHA-2 support was for IKEv2 only, with IKEv1 support added in Version XE3.10 (15.3(3)S). AES-GCM-128 and AES-GCM-256 encryption algorithms have been supported for IKEv2 control plane protection since Version XE3.12 (15.4(2)S) and 15.4(2)T. NGE dataplane support was added in Version XE3.8 (15.3(1)S) for Octeon based platforms only (ASR1001-X, ASR1002-X, ESP-100, and ESP-200); dataplane support is not available for other ASR platforms."

Whats the difference between data plane support vs control plane support?

Thanks and kind regards.
0
Very strange, this morning when I turned on the computer I got a message that Malwarebytes (I have Pro version) has been turned off. When I turned it on, the option "Protection against malicious code" was switched off, and I can not switch it on! All other options are selectable and can be switched on, but not this option.

Last time I was in Manila I had similar problems with strange things happening. Then when I left the problems disappeared. And most often here in Manila I get warnings when connecting to the hotel wifi about insecure network or dangerous connection.

All kinds of small problems since 2 days when suddenly I got this problem with the message "Waiting for proxy tunnel" in Google Chrome and "TLS handshake" in Mozilla Firefox:

https://www.experts-exchange.com/questions/29058931/How-should-I-get-rid-of-the-message-Waiting-for-Proxy-Tunnel-in-Google-Chrome.html

Other problems: Can not use Google API any longer for connection to Google Translate API for my CAT tool. Can not switch input language any longer. Can not run Windows Update any longer:

https://www.experts-exchange.com/questions/29058918/Why-do-I-get-Windows-could-not-search-for-new-updates-in-my-Windows-7-Home-when-checking-for-updates.html

Other problems (continued):

Takes ages to save a text document or other document ("Not responding").
"Google has authentication problems" when logged in to Gmail.

Etc. etc. (new issues coming up all the time).
0
After I've configured the device I can't get out to internet via any of the pcs.  I can access the 5505 from and outside computer and can configure it via the ASDM so I'm not sure what the problem is.  Can someone verify my config below?

ASA Version 8.3(1)
!
hostname ciscoasa
enable password OlOxQ1nyrZ49h6MK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object network SCETI
 subnet 172.172.128.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object SCETI
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source …
0
I need to look at a website. It is not a pentest itself. Just a vulnerability scan. What tools could I use to generate a complete report?
I also need to generate a less technical report.
0
Hello,

We use an RDP session through a VPN tunnel to connect to our hosted software out of state.

We constantly experience latency through all of our VPN tunnels.  I can run a constant ping from our hosted provider back to our environment to get a small picture how bad the response times of the pings are.

The ping times will be consistent for a little while hovering at 55ms - 67ms and then we will see "request timed out" multiple times and then ping times will rise.  It seems like the ping times fluctuate a lot  (I assume they would as the signal is traveling through multiple possible connections).

When ping times are at 55ms or less everything seems fine.  However, when it goes up from their end users report latency.

We are not hard lined to our ISP as everything is wireless.  Our internet pipe should be sufficient at all locations as we have spoken with our ISP and we do not hit the high water mark on our bandwidth - only rare spikes the main site.  

We are not hitting the high water mark on bandwidth usage at any of our other sites.  Is there a good piece of Enterprise level software that one could use to help get a clearer picture of where the issue occurs?

What kind of architectural questions should we be presenting to our ISP?   To our hosted provider?

1.  Is your VPN Server over-utilized?
2?
0
I need a web service to remain secret and would use CloudFare or a similar technology to prevent DDoS attacks. Aside from DDoS, what other types of attacks are possible?

I assume my web service domain would be totally hidden, but need to be sure there is no other known threat to it.

Thanks
0
What options are there to protect a web service from a DOS attack?

IF the web service were accessed only by my Objective-C iPhone application, and nowhere else, is this web service protected by the "security through obscurity" model? Or, can hackers crack open the source code of the iPhone app, like Apple can?

What about if I put the URL to the web service into the SQLite database and encrypted the Path?

So, when my app needs to request information from the web service, it does a DB lookup in the SQLite database for the path to the web service. When it gets it, it decrypts it. Then, using a variable (in memory) only, it makes the web service call.

Does this protect from a DOS attack to that web service call?

Are there easier ways?

Will this work on Java for the Android?

What about on my website?

Thanks.
0
It seems Sky have changed their email servers to Yahoo and with it, changed the security settings. Until the other day all was working OK but then email stopped arriving. Sky deny all knowledge but from a conversation I had with their support team about another client I've been working with, and research I've done on the Internet it seems that the Sky incoming email servers have changed.
For IMAP it was imap.tools.sky.com and is now imap.mail.yahoo.com
For POP it was pop.tools.sky.com and is now pop.mail.yahoo.com

My client is using POP mail with Outlook 2010 so I have changed the server to pop.mail.yahoo.com and set port 995 and SSL=Yes but it still won't connect. Outgoing email is OK using the same username and password as incoming so that verifies the credentials. (I can also login to sky.com using the credentials).

Is there something I've missed?
0
Can loved one's or family members see my credit report if I put a security freeze on it?
0
Hi Sir,

Would like to ask for your help about the problem listed below,

[Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xccb797a8) not found (maybe expired)

Hoping that you can help me resolve this matter.


Thank you in advance.
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>