Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I created a site-to-site vpn with the ASAs in GNS3 and it looks like the tunnel is working. as I can ping from 10.10.10.100 to 10.10.20.100 and vice versa.  But I am trying to understand how it is possible as far as the routing is concerned. sw1 and sw2 have their DG pointed to the ASA (see diagram). But how does the routing work for 10.10.10.100 and 10.10.20.100? I am trying to configure eigrp to advertise their local subnet 10.10.10.0 and 10.10.20.0 from the ASAs. But it does not seem to work. Also, I cannot ping any other interfaces from 10.10.10.100 or 10.10.20.100. I appreciate any explanation.

pic
0
We have a Cisco ASA 5515 VPN network that has been stable for years.

We have two spoke ASAs at remote offices and remote users using the IPSec VPN Client. There was a big power-down of the network over the holiday and this is the first day back in the office.

All VPN links are dropping after 10 - 30 seconds. Even an SSH link made across the VPN to the firewall ends in "broken pipe."

Our core Internet connection is stable.
0
I am trying to configure IPSec VPN from home to my workplace computer. My home computer have public IP and office computer is located behind the NAT.
I use Libreswan on CentOS 7 as VPN server. I do not want to use another VPN solution, since this is only VPN solution recommended by RedHat and I am perfectionist.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html
"IPsec, implemented by Libreswan, is the only VPN technology recommend for use in Red Hat Enterprise Linux 7. Do not use any other VPN technology without understanding the risks of doing so."

I've found the article on how to configure Libreswan VPN server for remote clients using IKEv2
https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
But this method use machine certificates for client authentication.

The question is - are machine certificates of equal security than EAP authentication methods supported by Windows and therefore should I continue implementing this solution?
0
I need to configure remote vpn access with the cisco 1841 who have a version 15 of ios ,help me with the building configuration
0
This is using 5 Citrix xenserver as hosts, all joined to the XenCenter pool. Among these 5 xen hosts, 4 are in site A, while the fifth one is located at site B. Site A connected to site B with firewall IPsec tunnel site-to-site. The ping tests took 300ms echo reply. This setup was done 4 years ago, and all along working fine.

Recently, I logged into the xencenter pool, and found that the fifth xen is in "red". I need to modify few settings and couldn't access. Please see the attached jpg file. What went wrong, and what should I do to make it "come alive again"? There are few VMs hosted there, and VMs are working fine. Shall I remove this host from the pool (with affecting VMs)?

Thanks in advance.
EE---Xen-Host-unreachable.JPG
0
Last night I was alerted that  my gmail account had been signed into by a device not recognized.  When researching further the IP address mentioned in the alert email was actually my iPhone.  However it was not using the IP address of my router 192.98.... instead it was using a Comcast ip 67.xxx.xxxx

What happened....
0
I have a client who is a small business. They have a new business requirement that is going to result in a new router/device that will support multiple concurrent ipsec tunnel's (which we already had) but that will have support for BGP over ipsec.

Recommendations are much appreciated!
0
I have a cradle point AER 1600 WAN modem testing it for remote sites. Trying to set up VPN to a Sonicwall NSA2400. after following the procedures to configure for vpn, using a simple pre-shared key for the test, the VPN LED on the cradlepoint is active. There are however no active tunnel connections when looking in the NSA or under the logs. I am trying to set this up as a pilot for the possible deployment of mult-site branches. Has anyone deployed in this scenario. I have followed several guides on how to do this but am unable to reach main branch resources from the cradle point.
0
I'm trying to create an IPSec site to site tunnel between an ASA 5505 and a pfsense firewall..  The tunnel is up, however, I cannot ping through it.  Where do I need to start in regards to troubleshooting?
0
I established an IKEv1 VPN tunnel between a Cisco ASA 5506 and a Cisco RV130.
ASA has a public IP 1.1.1.1, RV130 2.2.2.2
ASA network has an internal IP 192.168.12.0/24, the RV130 192.168.13.0/24

The tunnel connects and is stable.
I can ping the 192.168.13.1 (the RV130 router) through the tunnel and connect to it's web interface (https). And that's it.
I can't access anything past that in the 192.168.13.0 network. Nor can I access anything from the ASA network through the tunnel.

I tried both the VPN wizard through the ASDM and created the tunnel manually, through telnet. Same result. The tunnel is established, traffic does not flow through it.
When using an older ASA5505 instead of the 5506 everything works as it should, so now I'm stumped.

You'll find attached the configs. Please let me know if you spot something that could explain it or how can I troubleshoot this.

Thank you.
RV130.txt
asa5506.txt
0
I have a problem with the stability of a VPN IPSEC connection between two Draytek routers. One of which connects to a Terminal Server (2008 R2) OK and the VPN shows up and has not dropped its connection for over 36 hours.

However, the TS users are locked out during random disconnections (VPN still shows up) thereby causing problems in running a specific application (hitherto without problem). There are no error messages in the Event Log and I am now at a loss as to why the unreported disconnections randomly happen. Tried replacing the TS Ethernet adapter but not sure what to check next – any assistance would be appreciated.
0
Q1:
What are the most secure factors to consider when doing the above?  IPsec with 3Des?

Q2:
Symmetric or Asymmetric?

Q3:
If we're using Telco's VPN via Internet pipes, the VPN (ie encryption) is done at router or firewall level?

Q4:
For ease of porting to another ISP/public IP address, what do we need to do?  Portable NAT?


We used Cisco routers & Juniper fwall
0
ipsec tunnel comme not up

Router HP comware router

Config remote site :
----------------------------
IKE phase1
  encryption des
  authen MD5
  diffie-hellman group Group2 1024bit
  renegotiatie every 480 minutes
  testpassword
IPSEC phase
  encryption des
  authen MD5
  EPF diffie hellman groep sup         not selected
  renegotiatie 3600 sec
  LAN 172.x.x.0 /24
  WAN 203.x.x.x

Config my side :
-----------------------
acl number 3001
 rule permit ip source 192.168.x.0 0.0.0.255 destination 172.x.x.x 0.0.0.255
 quit
ike local-name vpntun01
ike proposal 1
 encryption-algorithm des-cbc
 authentication-algorithm md5
 dh group2
 sa duration 28800
 quit
ike peer vpntun01
 exchange-mode aggressive
 pre-shared-key simple testpassword
 proposal 1
 local-address 192.168.x.x
 remote-address 172.x.x.x
 quit
ipsec transform-set 1
 transform esp
 esp encryption-algorithm des
 esp authentication-algorithm md5
 quit
ipsec profile vpntun01
 ike-peer vpntun01
 transform-set 1
 sa duration time-based 3600
 quit
interface tunnel 1
 ip address 1.1.1.1 24
 tunnel-protocol ipsec ipv4
 source gigabitethernet 0/1
 destination 203.x.x.x
 ipsec profile vpntun01
 quit
ip route-static 172.x.x.x 255.255.255.0 tunnel 1

Log file :
*Nov 28 20:34:19:477 2016 Router1 IPSEC/7/DBG: IPsec_SA:ipsec acquire sa, use ike peer name: "vpntun01".
*Nov 28 20:34:19:477 2016 Router1 TUNNEL/7/debug:
Tunnel1 can't come up because:
*Nov 28 20:34:19:478 2016 …
0
Hi all i have a tunnel configured between two sites.

Site A
ADSL internet connection connected to ATM0
Site A has a static ip address block assigned which is used for all inbound connections from the internet
GRE IPSEC tunnel configured to site B
Nat rule for one of the static ip's through to the mail server at site b
Nat rule for one of the static ip's through to the web(outlook OWA) server at site b


Site B
Fibre Internet connected via ethernet wan interface
GRE IPSEC Tunnel Configured to Site A
Mail Server connected on internal vlan interface

Problem is i'm getting a lot of issues with smtp inbound. the errors reported are timed out waiting for end of data which i'm finding on the internet is caused possibly due to fragmentation.
I also cannot really use the internet on the mail server also as all traffic outbound traverses the tunnel, however inbound web mail works fine as does all other mobile mail functionality.

I suspect its got something to do with the MSS or MTU settings however i'm not sure how to set them correctly. I have played around with the MSS on the tunnel interface and still cant get internet working on the mail server


tunnel config is same both ends and looks like the following:
interface Tunnel0
 description Kuala Lumpur to Melbourne Link
 ip address 1.1.1.1 255.255.255.0
 ip mtu 1400
 ip virtual-reassembly in
 tunnel source Dialer1
 tunnel mode ipsec ipv4
 tunnel destination x.x.x.x
 tunnel protection ipsec …
0
I have a XTM535 and I tried to setup a mobile Ipsec tunnel to replace the not longer supported PPTP tunnel for IOS 10 for my Ipad but even when I see the user connected I can not reach any machines in the network and when I go to the WSM there are not packages sent.

My config is
Phase 1 SHA1 and 3DES, key group 2
Phase 2 SH1 and 3DES without PFSCapture.PNGForce al traffic to any-external and 0.0.0.0/0
0
Try this example in Packet Tracer 7 but it never worked, hope some experts can point me where the problem is. Here is my 2 sites configurations.

ASA1:

ASA Version 8.4(2)
!
hostname F1
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 172.16.1.2 255.255.255.252
!
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
!
access-list LAN_Traffic extended permit tcp 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
!
!
!
!
!
!
class-map inspection-default
class-map inspection_default
 match default-inspection-traffic
!
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect icmp
  inspect tftp
!
!
telnet timeout 5
ssh timeout 5
!
dhcpd auto_config outside
!
dhcpd enable inside
!
!
!
!
crypto ipsec ikev1 transform-set L2L esp-aes esp-sha-hmac
!
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set peer 172.16.2.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface inside
crypto ikev1 enable inside
crypto ikev1 policy 1
 encr aes
 authentication pre-share
 group 2
!
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes…
0
I'm trying to connect a site-to-site IPSec VPN between a Cisco ASA5505 and RV320.  The same basic settings are being used on both sides but the tunnel is not connecting.  When pressing Connect on the RV320 it fails to connect.  Clearly, there is advanced settings that need to be adjusted.  Anyone know of a tutorial on connecting these particular units?  Any help would be appreciated. Thanks! Setting are:
RV320:
Gateway to Gateway
Interface:WAN1
Keying Mode: IKE with Preshared Key
Enabled: checked

Local Group Setup
Local Security Gateway Type: IP Only
IP Address: Local WAN
Local Security Group Type: Subnet
IP Address: 192.168.1.0
SM: 255.255.255.0

Remote Group Setup
Remote Security Gateway Type: IP Only
IP Address: Remote WAN
Remote Security Group Type: Subnet
IP Address: 192.168.3.0
SM: 255.255.255.0

IPSec Setup
Phase 1 DH Group: Group 1 – 768bit
P1 Enc: DES
P1 Auth: MD5
P1 SA Lifetime: 86400
PFS: checked
P2 DH Group: Group 1
P2 Encr: DES
P2 Auth: MD5
P2 SA Lifetime: 3600

Advanced: the only thing checked is Dead Peer Detection Interval 10 sec

ASA 5505:
Stepped through site-to-site wizard with same settings as above
0
I only have the Default Gateway login (10.0.0.1, I also tried 192.168.100.1 which didn't work) but am unsure if this is the Router Login page or Gateway Login page. Is there a difference?
0
Hi All,

I’m trying to get a Client to Gateway VPN working with L2tp and IPSEC. I’m using a Netgear FVS336Gv2 which is connected to a fibre modem. The WAN light is green and I am able to surf the internet with a pc wired directly to the router. I’m sorry but this is new ground for me and would appreciate your help on this. I’ve set the iPad with a L2tp connection VPN but everytime I click connect I get the following log on the router and the iPad doesn’t authenticate correctly. What am I doing wrong please?

Error Log:

Thu Nov 03 10:50:23 2016 (GMT +0000): [FVS336Gv2] [IKE] ERROR:  Failed to get matching proposal for 85.XXX.XXX.XXX[24639].
Thu Nov 03 10:50:23 2016 (GMT +0000): [FVS336Gv2] [IKE] ERROR:  No suitable proposal found for 85.XXX.XXX.XXX[24639].
Thu Nov 03 10:50:23 2016 (GMT +0000): [FVS336Gv2] [IKE] WARNING:  Rejected phase 1 proposal as Peer's hashtype "MD5" mismatched with Local "SHA".
Thu Nov 03 10:50:23 2016 (GMT +0000): [FVS336Gv2] [IKE] WARNING:  Rejected phase 1 proposal as Peer's authentication method "pre-shared key" mismatched with Local "XAuth psk server".
Thu Nov 03 10:50:23 2016 (GMT +0000): [FVS336Gv2] [IKE] WARNING:  Rejected phase 1 proposal as Peer's encryption type "3DES-CBC" mismatched with Local "AES-CBC".
Thu Nov 03 10:50:23 2016 (GMT +0000): [FVS336Gv2] [IKE] WARNING:  Rejected phase 1 proposal as Peer's authentication method "pre-shared key" mismatched with Local "XAuth psk server".
Thu Nov 03 10:50:23 2016 (GMT +0000): …
0
I have 2 Sophos UTM firewalls that I need to setup a site to site VPN.

In the setup there are 2 options: SSL and IPSEC.

What are the benefits of going with SSL vs. IPSEC for a site to site VPN.
(I am not interested in answers for client to site)

Thank you.
0
Hello Experts,

I'm trying to build a Microsoft Azure site-to-site vpn where the local end device is a Palo Alto Networks firewall.

I have been trying to follow the example shown here ....

https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-VPN-for-Microsoft-Azure-Environment/ta-p/60340

But I'm not having any luck establishing a connection.

Has anyone successfully established a connection with a Palo Alto firewall?

Kind regards

Carlton
0
I've been installing / configuring L2TP / IPSec on the firewall. Currently have a firewall that doesn't support the configuration looking to install L2TPon the SBS2008.

Can I use the same cert I'm using for RWW? The remote.domainname.com?

Anyone have installation procedures.
0
I'm running RRAS on two servers inside my network, currently able to offer L2TP (via shared key), SSTP and PPTP connections. All three VPN types are working and accessible (as an aside, I'll be ditching PPTP shortly, owing to its lacking security).

I would like to know if there is an easy way to setup on the server side (most ideal) or client side a priority of which connection type to try first, when iniating a VPN connection from client to server. I'd like L2TP to be used as a priority, and if it doesn't work for some reason (like protocol 50 is being block outbound on the remote client side) it switches across to attempting SSTP connection as a secondary choice.

At present, when left on 'automatic' on the Windows VPN client settings, the client just connects up to the PPTP VPN by default (despite having the L2TP shared key in place), utlising the weakest of the VPN technologies we're offering.

Many thanks!
0
I'm trying to track down a hacker that has accessed my network & devices and been harassing me. But to be honest i have no idea what I'm doing when it comes to reading the logs I've been collecting. On my laptop I've been using WireShark to track network connections and various apps to track them on my android. So my question is, how do I know what IP Addresses are suppose to be there and which may be an intruders?
Also what piece of info (local/foreign/remote IP, MAC, hostname, DNS)is the one that will provide me with the most information if researched properly? & where is the best place with the tools to research said information?
0
Anyone reseller for Cisco, I need to purchase Cisco VPN Anywhere and Cisco puts me in touch with a reseller that never calls me back. I need these ASAP. Can setup a work request, whichever is best.

Running a SBS2008 server, turned off routing and remote access, configured Sonic Firewall for L2TP/IPSec all that's needed now is VPN client, need one that will support L2TP/IPsec for Windows and MAC.
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>