Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi,

I managed the IT department at our National Auditorium and i am doing a little bit of research regarding setting up our Auditorium to live-streaming our events in throughout the world via "internet".

At the moment whenever we have big national shows - we have a National Television company which comes and live stream and broadcast the event LIVE throughout the country on Television only.

Just recently, my committee met and propose to me to work on setting up a way where we can live stream our events through online via our website where a visitor will pay at least $2.00 or less before watching the show. I know this will involve setting up a merchant account where by the PGateways will process credit card and deposit fund into our merchant account before a visitor could watch a live event.

We have high end equipment in our auditorium (eg: audio and visual).

I have also developed the site and it is online now.

Anyway's i am just doing a little bit of research and even if we have to buy some hardware or any suggestions i would very much appreciate. Please let me know your thoughts and input.

Much appreciated.

Thanks,
B
0
hi
i have created a web form frm_map.aspx structured as below:
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Frm_Map.aspx.vb" Inherits="Frm_Map" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1" runat="server">
    <title>Google Maps Example</title>
     <script type="text/javascript"
        src="http://www.google.com/jsapi?key=AIzaSyDtWpEfoVxSKPTzKKFmYq1RP-isfqWLFGA"></script>
     <script type="text/javascript">
         google.load("maps", "2");
         // Call this function when the page has been loaded
         function initialize() {
             var map = new google.maps.Map2(document.getElementById("map"));
             map.setCenter(new google.maps.LatLng("<%=lat%>", "<%=lon%>"), 5);
        var point = new GPoint("<%=lon%>", "<%=lat%>");
          var marker = new GMarker(point);
          map.addOverlay(marker);
          map.addControl(new GLargeMapControl());
      }
      google.setOnLoadCallback(initialize);
    </script>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <div id="map" style="width: 400px; height: 400px"></div>
    </div>
    </form>
</body>

Open in new window


below is it code behind :
Imports System.Data
Imports System.Net

Partial Class Frm_Map
    Inherits System.Web.UI.Page
    Protected lat As String, lon As String
    Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs) Handles Me.Load
        Dim ipaddress As String
        ipaddress = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
        If ipaddress = "" OrElse ipaddress Is Nothing Then
            ipaddress = Request.ServerVariables("REMOTE_ADDR")
        End If
       
        lat = "33.55"
        lon = "55.45"
       
    End Sub

    
End Class

Open in new window


after running this form i am getting the below error message
his page didn't load Google Maps correctly. See the JavaScript console for technical details.

below is the attach erroe
0
Hi

We have a Fortigate in HQ connected to a bunch of branch offices with IPsec VPN in a hub & spoke configuration.
Speeds varies from 10mbps to 100 mbps pr. Branch office.
Currently phase2 is set up with: aes128 and SHA256.

Fortigate now supports AES GCM and can be used in phase2 for IPsec VPN tunnels.

There something new & fancy out there, but I have no idea if it's better.
Hope some of you in here can enlighten me :)

1. Does GCM provide better throughput and/or is less CPU intensive?
2. Does it provide better security?

Understand the principle of encryption but not the inner workings, please take that into consideration.

Regards.
0
Dear Experts

my domain is listed in spamhaus DBL , we have taken all measures for not sending promotional emails to the non-opted contacts and made  several requests to the spamhaus to remove  our domain from the list but they are not supporting in this, they keep replying like the below posted, PLease suggest us the way on getting delisted, it is affecting us very badly please support

Hello,

We have reviewed the DBL listing for domain.com and decided that
we will retain that listing at this time. We do not discuss criteria
for inclusion in DBL, however it includes many factors. Your domain
matches several of those criteria.

DBL listings expire over time, so if our systems do not see your
domain for a while it will drop out of DBL zone. Many factors which
affect your domain's reputation may also change over time, so by
engaging in good reputation practices it will eventually drop out of
DBL. For more information, please see DBL FAQ "Why is my domain listed
in DBL?" http://www.spamhaus.org/faq/section/Spamhaus%20DBL#371
0
I recently added a Proxy-ID to an IPSec tunnel on PAN FW but it's stuck in init state. I'm trying to
connect to a sonicwall on the far side. How can I view the negotiation process or use other logging
to see why this stays stuck in init state instead of going "active"?

IPSEC-WalrusNet:Proxy-35active     off          172.16.200.20.54  77.122.220.196  tunnel.8
IPSEC-WalrusNet:Proxy-36active     off          172.16.200.20.54  77.122.220.196  tunnel.8
IPSEC-WalrusNet:Proxy-37active     off          172.16.200.20.54  77.122.220.196  tunnel.8
IPSEC-WalrusNet:Proxy-38init       off          172.16.200.20.54  77.122.220.196  tunnel.8

tunnel  IPSEC-WalrusNet:Proxy-38
        id:                     140
        type:                   IPSec
        gateway id:             7
        local ip:               172.16.200.20.54
        peer ip:                77.122.220.196
        inner interface:        tunnel.8
        outer interface:        ae1.802
        state:                  init
        session:                268549
        tunnel mtu:             1448
        lifetime remain:        N/A
        monitor:                off
        monitor packets seen:   102551
        monitor packets reply:  147
        en/decap context:       19553
        local spi:              00000000
        remote spi:             00000000
        key type:               auto key
        protocol:               ESP
        auth algorithm:         NOT ESTABLISHED
        …
0
All of a sudden I received numerous warnings from my Malwarebytes Professional that malicious websites I think it was were trying to connect to these ports (and more, these are ones I have noted down so far):

1900
61875
57333
65139
58347
64920

I am proofreading a book now, and am hardly using the internet. Only now and then I search Google for contents relating to Jewish mysticism. Then I have some other websites open like an online dictionary, playing relaxing music from Youtube from the same video all the time, that is all.

What should I do? Will Malwarebytes prevent all intruding attempts or will anything slip through? I need to continue working because I have too much work to do, can not just turn off the computer and do nothing.

It always comes from the same IP address: 239.255.255.250
0
Hi there, I have a customer using an accounts software program that uses an internet printer which has recently been bombarded with random print jobs.

The Print jobs only come from one IP address - is there a way I can block access to that printer except for internal print jobs as well as from that 1 IP address?
0
Create Virtual SwitchHi,

  I am setting up Hyper-V 2016 on a server that has two NICs and I connected one NIC to internal network (192.168.1.x) and 2nd NIC to receive dynamic public IP from ISP. The purpose of connecting 2nd NIC to public internet was because sometimes VM needs direct connection to public internet.

 While adding Hyper-V role/creating Virtual Switches, I see the message "We recommend that you reserve one network adapter for remote access to this server ....".
 I can connect to this Hyper-V server using remote desktop from internal network PC and Splashtop remote access software from outside of network.

 (1) Should I be concerned about this message?

 (2) As I mentioned, there are two NICs for internal & external connection. Should I be concern ed about Security or Hacking because 2nd NIC is exposed to public internet? If answer is 'Yes', what should I do for protection? I can install MalwareByte products that I use to protect workstation PCs.

Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.1.5
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.9   192.168.1.3

Ethernet adapter Ethernet 2:
   Connection-specific DNS Suffix  . : wowway.com
   IPv4 Address. . . . . . . . . . . : 65.x.x.x
   Subnet Mask . . . . . . . . . . . : 255.255.252.0
   Default Gateway . . . . . . .…
0
I'm looking for recommendations for a small business firewall to be used with a Verizon Jetpack (Cell service for internet) based on your own experience.
0
Imagine you have two sites connected by an IPSec tunnel. Site A can send traffic from 10.10.10.10 to 192.168.10.10 at site B. Each side is using a Cisco ASA firewall. Now one day you want to add 192.168.10.11 as a destination. If you added that to site B's firewall without also updating site A's firewall with like information - would the tunnel then break? Thank you.

The issue is I have a tunnel I need to change and several companies to communicate with on the far end. It would be ideal if I could update my end of the tunnel and let them update their side when they get to it. But if I recall correctly I think if I add another host to the encryption domain at site B the tunnel will just fail. Any insight?
0
Hello Experts,

I am re-designing an existing network using a new ISP and new hardware. The existing network has approximately 50 remote sites all using different local ISP's connected to each other via IPSec site to site VPN tunnels within a hub and spoke topology. Every site terminates to the same vendor's VPN concentrator. Our server infrastructure is cloud based and we authenticate to Active Directory Services in the cloud. As of right now each site or 'spoke' has to go thru the 'vendor hub' to access any other site, which tends to slow things down a bit on occasion.

If I utilize a mesh topology, every site would have to host 50 VPN tunnels (I guess 49 to be exact) to connect to all other locations, which means that the firewall, router, or VPN concentrator would have to be large enough to support this - frankly our budget isn't that big. I would like to utilize a FortiGate 60/90 in each location.

I'm considering a hybrid hub and spoke / mesh topology but looking for some ideas as to how to approach this from a topology perspective.
0
Setup:

Comcast > ASA 5505 > Netgear > Workstations/Server

ASA Inside:  192.168.1.1
Netgear WAN IP: 192.168.1.40 (connected to VLAN1)
Netgear LAN IP:  10.1.10.2
Netgear DMZ: 10.1.10.34
Server: 10.1.10.34

Partial ASA config:

interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0

access-list 101 extended permit udp any any eq isakmp
access-list 101 extended permit udp any any eq 4500
access-list 101 extended permit esp any any
access-list 101 extended permit tcp any any eq ftp
access-list 101 extended permit tcp any any eq 3389
access-list 101 extended permit tcp any any eq www
access-list 101 extended permit tcp any any eq 8001
access-list 101 extended permit tcp any any eq 8080
access-list 101 extended permit tcp any any eq 1050
access-list 101 extended permit tcp any any eq https
access-list 101 extended permit tcp any any eq 8000
access-list 101 extended permit tcp any any eq 8002
access-list 101 extended permit tcp any any eq 8003
access-list 101 extended permit tcp any any eq 1051
access-list 101 extended permit tcp any any eq 444
access-list splittunnel standard permit 10.1.10.0 255.255.255.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.20.1-192.168.20.10
icmp unreachable rate-limit…
0
Hi,

I have two Drayteks. One site has a Vigor 2860 (Site 1 - 192.168.2.0) and the other a Vigor2830 (Site 2 - 192.168.5.0).

I have attempted to create a site-to-site VPN, bit cannot get a connection. I have another site (Site 3) which can establish a site-to site VPN with Site 1.

I have replicated all settings from the successful site to site VPN (of course changing the relevant External IP address) but I still cannot get a connection. I have attached a screenshot of both VPN profiles (I have hidden the external IP addresses). is there anything I am missing?VPN-Site-1-to-Site-2_.jpgVPN-Site-2-to-Site-1.jpg
thanks in advance,
Col
0
Hi

We have to set IPSec for Windows 7 and 10. How can my technicians check if IPSec is working on the client side?

With Wireshark? If yes, please tell me how?

Many thanks in advance.
0
Hi

I have never set IPSec under Windows Server. Is it difficult? Can somebody post me a good step by step tutorial that I can give a junior technician?

Many thanks in advance.
0
Hi Guys,

New here in the forums.  Just like to know if we can do an automatic failover to VPN using SonicWALL NSA 220 and a TZ 400 when our Main leased line goes down.  Also would like to know what pre requisites are needed for this.

Thanks
JC
0
SalesForce is upgrading the requirement from SecurityProtocolType.Tls10

to SecurityProtocolType.Tls11 anbd SecurityProtocolType.Tls12

What can you tell me about this protocol?

Thanks
0
I'm not a networking expert, it's my least favorite part of IT, so I may well have missed something during setup, but I had thought that in my research I read that IP Security would be transparent to applications. Because of that, I am very confused as to why this error started appearing in Internet Explorer after I rolled out the IPSec policy:

IE Error from IPSec
Clients on the network connect to the Webserver that hosts the site without issue.  This issue started when the database server, picked up the settings and the webserver and DB server started communicating encrypted.  Also, TLS 1.0, 1.1, and 1.2 are enabled on all machines in our domain through GPO, SSL 2.0 and 3.0 are disabled in the same policy.

Please let me know if you need more info, but any help that anyone can provide will be greatly appreciated.
0
Our company has DMVPN between HQ and other 8 Remote sites, it is a mesh topology, sometimes the tunnel between the HQ and site office tunnels goes down,
HQ Hub router works fine all the time but problem resides in some spoke routers at some times.
 
Verify:
when i check the spoke router with these commands
1.  "show crypto isakmp sa" shows "MM_NO_STATE" this mean MM1 and MM2 failure (misconfiguration or UDP500 connectivity issue)
2.  "show crypto ipsec sa" shows send/ receive error, no encap/decap pkts increment, no encry/decrypt pkts increment
 
the spoke routers connect with ISP through Fiber dsl Line and some connect to 4G line.
 
Solution We are doing:
We resolve this issue by restart the Spoke CISCO router or DSL Router that connect with Spoke router then the tunnel comes up and working fine.
 
My Question is, why this is happen once or twice in a week, is there any verify or troubleshoot method to find out the main cause for this issue? and What is UDP500 Connectivity issue and how to resolve it?
(Hub and spokes configurations are correct)
0
I am trying to set up IPSec/L2TP in Remote and Routing Service in Windows 2008 R2 Server.
As I understand it, I need to do two things with respect to ports:

(1) IPSec requires UDP port 500 and protocols 50 & 51 (IPSec passthrough)
(2) L2TP requires UDP 1701, UDP 500 if using IPSec, UDP 4500 if using NAT-T, and L2TP pass through.

In RRAS, I added UDP ports - 500, 1701, 4500. But I don't know how to add protocols 50 & 51.
Can you help?
0
Hi

We are providing outsourcing for our customers. One of our large government customer needs to encrypt the communications between our DC’s, File Servers and Printers.
After discussing with third party network company and my technicians they tell that IPsec is still the best solution and is standard. Is this true? Is there something better than IPsec now a days?
It can be also a solution from the network side than doing this with IPsec on our MS Servers.

Info:
Servers are 2012 R2
Clients are Windows 10 and 7

Many thanks in advance.
0
Hello Everyone,

I am working to set up a raspberry pi as a vpn through my pfsense router. I have the pi configured and I am now having issues getting it to pass through the firewall to a public ip. If that won't work I'm looking for a username/password based vpn akin to pptp to add simplicity for my users (they don't want to use another client like open vpn) I'm fairly new to configuring vpns and I'm looking for a little guidance.
0
Dear all,
I'm triyng to configure a Site -to-Site VPN without success from ASA 5510 (static public IP) and RV215W (connected to 4g router and dynamic public IP).
I cannot see UP the VPN.
If I try to ping from "ASA network" I see only "IKE initiator unable to find policy". If I try to ping from RV215W network anything.
I send to you ASA config, big thanks fot your help.

ASA Version 7.0(6)
!
interface Ethernet0/1
 nameif Fastweb2
 security-level 0
 ip address 192.168.11.2 255.255.255.0
!
interface Ethernet0/3
 description LAN
 nameif LAN
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
dns domain-lookup Fastweb2
dns name-server 85.18.200.200
dns name-server 89.97.140.140
object-group network VPN_OFFICE
 network-object 192.168.20.0 255.255.255.0
access-list Fastweb_access_out extended permit ip any any
access-list Fastweb_access_out extended permit ip 192.168.1.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip interface LAN interface Fastweb2
access-list LAN_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 1.2.3.4
access-list LAN_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 object-group VPN_OFFICE
access-list Fastweb2_cryptomap_20 extended permit ip 192.168.1.0 255.255.255.0 host 1.2.3.4
access-list Fastweb2_access_in extended permit tcp host 1.2.3.4 192.168.1.0 255.255.255.0 eq lpd
access-list Fastweb2_access_in extended permit tcp host …
0
VPN ErrorRRAS Property - GeneralRRAS Property - SecurityRRAS - IPv4Firwall for RRASFirewall - UDP 500 and 4500 addedL2TP VPN in Windows 10
Hi,
 
 I set up RRAS on my Windows 2008 R2 Server and tried to connect to the VPN server using L2TP IPSec method, but I get an error. So far this is what I have done on Windows 2008 R2 Server.
(1) Added RRAS role.
(2) made sure that WAN Miniport (L2TP) is listed in Ports section of RRAS.
(3) Created preshared key
(4) Added port number 500 and 4500 UDP in Advanced Settings in Firewall
(5) Made sure that RRAS check box was checked in Allowed Programs in Firewall.
(6) In my CISCO router, I am forwarding two UDP  ports 500 and 4500 to this computer running Windows 2008 R2.
(7) In my Windows 10 PC, I created a L2TP VPN connection and entered preshared key.
But when I tried to connect, I get an error.
Can you help?
0
Hi,
 
I need to set up a VPN behind my CISCO 1811 router and like to use either Windows Server 2008 or 2012 operating system's Remote and Routing Service.
(1) Which one of these protocols - IKEv2, IPSec, and L2TP - is easiest to setup in Windows server?
(2) Which version of OS is better ? Windows Server 2008 or 2012
(3) What port numbers should I forward in my CISCO 1811 router to my Windows Server?

Thanks.
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>