Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

What is the importance of this message.
What should I be concerned about? Or When should I be concerned about this?
We recently converted our site to be a secure site and it works--for the most part. But many visitors are getting messages about installing certifcates or being denied access. From a Mac Chrome user:

"403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied."

From an Android Chrome user:

"No certificates found. Chrome has requested a certificate. Agreeing to this request will allow the application to use this certificate with servers from now on. The requested server has been recognized as Only agree to this request if you trust the application. You can install certificates from a ..."

I thought making a site secure (HTTPS) was supposed to just affect the communication between the browser and the server, and that the browser hid all this security stuff from the user and only indicated to the user that the site was secure. What are we doing/not doing that is putting these prompts and issues in the user's face?

The site is


A client has an IPSec VPN that uses UDP ports 500, 1701 and 4500

Is it possible to capture the packets that are sent in response, are they sent to the same port numbers by any chance ?

I have a remote situation where we have 65 small retail stores and 4 regional offices all connected via IPSec tunnel back to the corporate data center.  Everything is working great.  What I am looking to do is re-configure the Corporate ASA just to make the code easier to manage and even read.

However, the Cisco ASA IOS is not doing what I want to do in handling objects, and it may be that it just will not work.  What I want to do is use objects to create a single VPN "match address" in the crypto map definition and then just have it search through the IPsec "peers" listed in the crypto map set peer command to find the correct peer and establish the tunnel.

Here is a small code example of what is WORKING, and below that is what I want to which is not working.
object network GKY-CORP-LAN
  description This is the Corporate Data Center
object network GKY-BGRO-LAN
 description This is the Regional Office
object network GKY-TVILLERD
object network GKY-NORTHFIELD
object-group network GKY-STORES
 network-object object GKY-TVILLERD
 network-object object GKY-NORTHFIELD
object-group network IPSec-Sites
 network-object object GKY-BGRO-LAN
 group-object GKY-STORES

access-list VPN_GKY-BGRO-LAN extended permit ip object GKY-CORP-LAN object GKY-BGRO-LAN
access-list VPN_GKY-TVILLERD extended permit ip object GKY-CORP-LAN object-group …
I use Mac Safari but could switch to Chrome.

what is Incognito mode? What browsers support that?

Are there other search engines I can use?

Any downsides to browsing in the dark?


Looking for recommendations on web content/filtering/security solution, either hardware or in the cloud with minimal management required on it

Thanks in advance
We have a remote site, which is currently using pfSense as it's firewall.  There is one static IP, the ISP isn't able to add additional IP's with out changing the IP range, no surprise there.  This site is owned and operated by a vendor and they are not willing to move IP's since it will require a reconfiguration of their network.  The owner is already using IPSec to connect that office back to it's main office.

We have some computer equipment in the remote office and would like to upgrade our network equipment and ideally would like to use IPSec.  While I could move IPSec to another port, the issue is with GRE, as there isn't any real port used.

Are there ways to configure multiple GRE/IPSec tunnels over the same Static IP with different physical hardware?
If so, how?
If not, what are my options?

For our equipment I'm using a MikroTik CCR1016-12G

Thanks in Advance.
Hello Community,

I have created an VPN as shown in the attached configs. The tunnel is up and ipsec appears to working fine. However, I'm unable to ping the address (interface on the router) from the other site with address I think the problem might be that traffic isn't being recognized in the ipsec tunnel as shown here:

cisco-csr-vpn#show crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr

protected vrf: (none)
local ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 83, #pkts decrypt: 83, #pkts verify: 83
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.:, remote crypto endpt.:
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xEC0058AA(3959445674)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE8D52690(3906283152)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: CSR:2, sibling_flags FFFFFFFF80000048, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4607992/3051)
IV size: 16 bytes
replay …
I need to migrate a VPN tunnel with 70 lines of cryptomap. The PAN GUI appears to permit my only adding
a single line at one time. I see that I can add security rules via CLI. Perhaps there is something similar for
adding an IPsec tunnel and its Proxy IDs? Any other thoughts apprecaited.

set rulebase security rules Inbound-SSH from corpfw2-untrust
set rulebase security rules Inbound-SSH to corp-vpn
set rulebase security rules Inbound-SSH source RFC-1918
set rulebase security rules Inbound-SSH destination any
set rulebase security rules Inbound-SSH source-user any
set rulebase security rules Inbound-SSH category any
set rulebase security rules Inbound-SSH application [ ssh ssh-tunnel]
set rulebase security rules Inbound-SSH service application-default
set rulebase security rules Inbound-SSH hip-profiles any
set rulebase security rules Inbound-SSH action allow
set rulebase security rules Inbound-SSH profile-setting group Corp-Default-SecPro1
set rulebase security rules Inbound-SSH log-start yes
set rulebase security rules Inbound-SSH log-setting logmaster1
set rulebase security rules Inbound-SSH disabled yes
I am seeing a large increase in failed password authentication via radius. It's unlikely that a large number of users suddenly forgot their password. How can I troubleshoot which active directory server was in play during a failed radius authentication?
I have VPN between WRVS4400 and RV220W. I had to change WAN IP address at RV220. So after that i cant establish VPN. (chenge VPN IP in WRVS).And:

From WRVS computers i can go to admin RV220 with local IP, can ping to RV220, but cant ping to computer which are after RV220;

From RV220W - from computers cant go to admin WRVS with local IP, cant ping to router, cant ping to computers, when i use router administration diagnostic can ping to WRVS router, can ping to printer (connected to router), cant ping to computers.

At WRVS i change remote IP at VPN tunnel and at RV220W i change WAN is log from RV220W:

79 it is WRVS4400 IP, 83 it is RV

2017-04-11 07:09:51: [rv220w][IKE] INFO: Configuration found for
2017-04-11 07:09:51: [rv220w][IKE] INFO: Initiating new phase 2 negotiation:[500]<=>[0]
2017-04-11 07:09:52: [rv220w][IKE] ERROR: Unknown notify message from[500].No phase2 handle found.
2017-04-11 07:10:00: [rv220w][IKE] ERROR: Unknown notify message from[500].No phase2 handle found.
2017-04-11 07:10:02: [rv220w][IKE] ERROR: Unknown notify message from[500].No phase2 handle found.
2017-04-11 07:10:10: [rv220w][IKE] ERROR: Unknown notify message from[500].No phase2 handle found.
2017-04-11 07:10:12: [rv220w][IKE] ERROR: Unknown notify message from[500].No phase2 handle found.
2017-04-11 07:10:20: [rv220w][IKE] ERROR: …
I need a site(s) that can check a shortened URL to see where it takes me.
I have a vendor which operates a web service that we subscribe to. They have told us they will begin to refuse connections which are established using TLS 1.0 protocols for encryption. I agree with this and I was fairly certain we had taken all of the necessary steps to disallow TLS 1.0 nearly 2 years ago. This vendor is doing it a little differently in that they are going to keep TLS 1.0 enabled on their server and reject and lock out any connections which attempt to connect using it. This part, I do not agree with but who am I.

This vendor has done a packet capture on their side and I have also done one on the client side and both clearly indicate a TLS 1.0 handshake and establishment of an encrypted connection. This is the heart of the problem.

My question is simple, or so I thought... How do I go about disabling TLS 1.0 on a Windows 7 client such that it will no longer respond to TLS 1.0 offerings from a server which still has TLS 1.0 enabled. The client application I use is basically an embedded Internet Explorer client and as such can use any setting which effects Internet Explorer.

I am not perplexed for long on most issues but I must admit that this one has me totally stumped.

Thanks in advance for your insight...
Hi there!

After some difficulties (of course...), I was able to create ONE MyDlink account and put two cameras properly installed "inside" this account.

Then I have downloaded the "MyDlink Lite" app for the Android and at this moment I can see, remotely, through my cellular phone, the images from both cameras at real time. Great!

My problem: I would like to download the "MyDlink Lite" app for the Android in ANOTHER cellular phone, so that two people will be able to see the images of the same two cameras. Let´s say that I have two cellular phones, and I would like to see the images in both of them.

(I don´t have problem to share my login and password to the person on the other cellular phone, it´s my father, in fact.)

All that put, the question:

Should I create another account or another registration (as a "new user") in "MyDlink site" or in "MyDlink Lite" and "share" the cameras or can I simply install "MyDlink Lite" in my father´s cellular phone as if he is myself (same login and password) ?

I ask this question this because I am afraid I can get some "conflict" when using the same login and password from two different "places" and, what would be terrible, miss (mess up) the configurations and the perfect funcionallity that I have at this moment, with only one cellular phone "connected" to the cameras...

Thanks a lot!

For the past couple of months, an attacker has been sending my company emails trying to get us to install a RAT. Somehow, he knows the services we use (VoIP providers, etc) and sends emails as them. I've traced his originating IP using the email header data and he traces back to a server rental farm in Japan. I've reported him to them 3 times, but to no avail. Any ideas on how to stop this guy? We cant block the domains, as they are legitimate domains we receive emails from.

I managed the IT department at our National Auditorium and i am doing a little bit of research regarding setting up our Auditorium to live-streaming our events in throughout the world via "internet".

At the moment whenever we have big national shows - we have a National Television company which comes and live stream and broadcast the event LIVE throughout the country on Television only.

Just recently, my committee met and propose to me to work on setting up a way where we can live stream our events through online via our website where a visitor will pay at least $2.00 or less before watching the show. I know this will involve setting up a merchant account where by the PGateways will process credit card and deposit fund into our merchant account before a visitor could watch a live event.

We have high end equipment in our auditorium (eg: audio and visual).

I have also developed the site and it is online now.

Anyway's i am just doing a little bit of research and even if we have to buy some hardware or any suggestions i would very much appreciate. Please let me know your thoughts and input.

Much appreciated.

i have created a web form frm_map.aspx structured as below:
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Frm_Map.aspx.vb" Inherits="Frm_Map" %>

<!DOCTYPE html>

<html xmlns="">
<head id="Head1" runat="server">
    <title>Google Maps Example</title>
     <script type="text/javascript"
     <script type="text/javascript">
         google.load("maps", "2");
         // Call this function when the page has been loaded
         function initialize() {
             var map = new google.maps.Map2(document.getElementById("map"));
             map.setCenter(new google.maps.LatLng("<%=lat%>", "<%=lon%>"), 5);
        var point = new GPoint("<%=lon%>", "<%=lat%>");
          var marker = new GMarker(point);
          map.addControl(new GLargeMapControl());
    <form id="form1" runat="server">
        <div id="map" style="width: 400px; height: 400px"></div>

Open in new window

below is it code behind :
Imports System.Data
Imports System.Net

Partial Class Frm_Map
    Inherits System.Web.UI.Page
    Protected lat As String, lon As String
    Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs) Handles Me.Load
        Dim ipaddress As String
        ipaddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
        If ipaddress = "" OrElse ipaddress Is Nothing Then
            ipaddress = Request.ServerVariables("REMOTE_ADDR")
        End If
        lat = "33.55"
        lon = "55.45"
    End Sub

End Class

Open in new window

after running this form i am getting the below error message
his page didn't load Google Maps correctly. See the JavaScript console for technical details.

below is the attach erroe

We have a Fortigate in HQ connected to a bunch of branch offices with IPsec VPN in a hub & spoke configuration.
Speeds varies from 10mbps to 100 mbps pr. Branch office.
Currently phase2 is set up with: aes128 and SHA256.

Fortigate now supports AES GCM and can be used in phase2 for IPsec VPN tunnels.

There something new & fancy out there, but I have no idea if it's better.
Hope some of you in here can enlighten me :)

1. Does GCM provide better throughput and/or is less CPU intensive?
2. Does it provide better security?

Understand the principle of encryption but not the inner workings, please take that into consideration.

Dear Experts

my domain is listed in spamhaus DBL , we have taken all measures for not sending promotional emails to the non-opted contacts and made  several requests to the spamhaus to remove  our domain from the list but they are not supporting in this, they keep replying like the below posted, PLease suggest us the way on getting delisted, it is affecting us very badly please support


We have reviewed the DBL listing for and decided that
we will retain that listing at this time. We do not discuss criteria
for inclusion in DBL, however it includes many factors. Your domain
matches several of those criteria.

DBL listings expire over time, so if our systems do not see your
domain for a while it will drop out of DBL zone. Many factors which
affect your domain's reputation may also change over time, so by
engaging in good reputation practices it will eventually drop out of
DBL. For more information, please see DBL FAQ "Why is my domain listed
in DBL?"
I recently added a Proxy-ID to an IPSec tunnel on PAN FW but it's stuck in init state. I'm trying to
connect to a sonicwall on the far side. How can I view the negotiation process or use other logging
to see why this stays stuck in init state instead of going "active"?

IPSEC-WalrusNet:Proxy-35active     off  tunnel.8
IPSEC-WalrusNet:Proxy-36active     off  tunnel.8
IPSEC-WalrusNet:Proxy-37active     off  tunnel.8
IPSEC-WalrusNet:Proxy-38init       off  tunnel.8

tunnel  IPSEC-WalrusNet:Proxy-38
        id:                     140
        type:                   IPSec
        gateway id:             7
        local ip:     
        peer ip:      
        inner interface:        tunnel.8
        outer interface:        ae1.802
        state:                  init
        session:                268549
        tunnel mtu:             1448
        lifetime remain:        N/A
        monitor:                off
        monitor packets seen:   102551
        monitor packets reply:  147
        en/decap context:       19553
        local spi:              00000000
        remote spi:             00000000
        key type:               auto key
        protocol:               ESP
        auth algorithm:         NOT ESTABLISHED
All of a sudden I received numerous warnings from my Malwarebytes Professional that malicious websites I think it was were trying to connect to these ports (and more, these are ones I have noted down so far):


I am proofreading a book now, and am hardly using the internet. Only now and then I search Google for contents relating to Jewish mysticism. Then I have some other websites open like an online dictionary, playing relaxing music from Youtube from the same video all the time, that is all.

What should I do? Will Malwarebytes prevent all intruding attempts or will anything slip through? I need to continue working because I have too much work to do, can not just turn off the computer and do nothing.

It always comes from the same IP address:
Hi there, I have a customer using an accounts software program that uses an internet printer which has recently been bombarded with random print jobs.

The Print jobs only come from one IP address - is there a way I can block access to that printer except for internal print jobs as well as from that 1 IP address?
Create Virtual SwitchHi,

  I am setting up Hyper-V 2016 on a server that has two NICs and I connected one NIC to internal network (192.168.1.x) and 2nd NIC to receive dynamic public IP from ISP. The purpose of connecting 2nd NIC to public internet was because sometimes VM needs direct connection to public internet.

 While adding Hyper-V role/creating Virtual Switches, I see the message "We recommend that you reserve one network adapter for remote access to this server ....".
 I can connect to this Hyper-V server using remote desktop from internal network PC and Splashtop remote access software from outside of network.

 (1) Should I be concerned about this message?

 (2) As I mentioned, there are two NICs for internal & external connection. Should I be concern ed about Security or Hacking because 2nd NIC is exposed to public internet? If answer is 'Yes', what should I do for protection? I can install MalwareByte products that I use to protect workstation PCs.

Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . :

Ethernet adapter Ethernet 2:
   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 65.x.x.x
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . .…
I'm looking for recommendations for a small business firewall to be used with a Verizon Jetpack (Cell service for internet) based on your own experience.
Imagine you have two sites connected by an IPSec tunnel. Site A can send traffic from to at site B. Each side is using a Cisco ASA firewall. Now one day you want to add as a destination. If you added that to site B's firewall without also updating site A's firewall with like information - would the tunnel then break? Thank you.

The issue is I have a tunnel I need to change and several companies to communicate with on the far end. It would be ideal if I could update my end of the tunnel and let them update their side when they get to it. But if I recall correctly I think if I add another host to the encryption domain at site B the tunnel will just fail. Any insight?

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.