We help IT Professionals succeed at work.

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Does anyone by chance have a step by step install documentation created for a Cisco ASA 5508 for anyconnect?  We had a firewall die and installed this one as new.   They were IPSEC now on SSL.  We need to deploy anyconnect to everyone and just need to tweak the document to fit our clients config.  Any help would be greatly appreciated.   No one can tunnel in without setting this up.   This is pretty high priority.
Below is a snippet of sho crypto session on a DMVPN router. Altho the status of the session is down I can't get these entries to disappear from the router. I've tried "clear crypto session" and "clear crypto sa peer". Yet these keep showing up like a zombie. What's going on with this?

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: port 500
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
I need to create a white paper based on actual usage in the field for monitoring traffic.  In particular, monitoring encrypted traffic.  Our data center is receiveing netflow and IPFIX data from a few dozen client enterprises that we are serving.  The netflow/IFIX data that is being sent to us real-time but we do not have control over where our clients are sourcing.  It is up to them.   In other words, the "tap' they use is most likely outside their firewall, and probably outside their boundary router, but may not always be.  So in the case of encrypted traffic, obviously we are not reading their payload, but we need to be able to detect whether specific traffic is encrypted.  For both cases, for SSL traffic and for IPSEC VPN traffic, we need to identify as much as we can for our clients sake, without deciphering the payload.

Can you point me to explanations and scenarios (preferably real case scenarios) where this is done, and how the security techs, who are monitoring this in our data center, are handling this?  Especially, as is most like the cases, if the data we are receiving is from the encrypted data flow.
I have a question about security when it comes to remote apps like TeamViewer. How secure is team viewer? Is the connection encrypted and how is it compared to if we were to VPN? What’s advisable in the area remoting into work
I need help to establish a VPN connection from my home Linux box (Debian 10) to office's SonicWall TZ300 using strongswan ipsec.
Here is my config files:/etc/ipsec.conf
conn GroupVPN


# aggressive=yes disabled by default when auth by PSK. It's enabled by setting
# charon.i_dont_care_about_security_and_use_aggressive_mode_psk=yes in strongswan.conf
# see https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Aggressive-Mode
# see https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

#include /var/lib/strongswan/ipsec.conf.inc

Open in new window

#include /var/lib/strongswan/ipsec.secrets.inc

@GroupVPN @<UniqueFirewallIdentifier> : PSK <SharedSecret>
<MyUserName> : XAUTH "<MyUserPassword>"

Open in new window

# ipsec statusall
Status of IKE charon daemon (weakSwan 5.7.2, Linux 4.19.75+, armv6l):
  uptime: 2 seconds, since Jan 28 19:02:33 2020
  malloc: sbrk 811008, mmap 0, used 468032, free 342976
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
    GroupVPN:  %any...<SW_IPaddress>  IKEv1 Aggressive
    GroupVPN:   local:  [GroupVPN] uses pre-shared key authentication
    GroupVPN:   local:  [GroupVPN] uses XAuth authentication: any with XAuth identity '<MyUserName>'
    GroupVPN:   remote: [<UniqueFirewallIdentifier>] uses pre-shared key authentication
    GroupVPN:   child: === TUNNEL
Security Associations (0 up, 0 connecting):

Open in new window

GroupVPN policy/AdvancedVPN/Advanced SettingsFrom SonicWall log (most recent at the top):

Open in new window

I want to create a site-to-site IPSec VPN between 2 fortigates.  1 fortigate has the GUI disabled, no CLI.  

How can I set psksecret ENC on the fortigate with no GUI?
In a new environment one of the projects left behind by a predecessor was to upgrade the encryption on their DMVPN from 3DES to AES 256. That's a good goal to be up to modern standards. But I see a lot of other areas of greater vulnerability. And the update and verification of hundreds of spoke sites will take considerable time. My question: how vulnerable is a 3DES encrypted DMVPN network?
I am on a new gig where the client has small spoke sites talking to a hub at the data over DMVPN with IPSec encryption. The edge devices at the spoke sites are Cisco ISRs. They complain about the performance of Horizon VDI not infrequently. One thing I was wondering is - what would be the performance knock of their sending their already secure PCOIP traffic over the encrypted DMVPN? It seems they could just send the traffic to the VDI farm without it needing to travel through the tunnel. Might it improve VDI performance from the perspective of the end  to have those connection bypass the tunnel and just traverse the Internet without a second encryption operation.
HI, I wanted to get a Cisco RV340 and use it for vpn for remote clients.  I'm trying to find info on it, but it's confusing to me.

So it looks like there is a client called AnyConnect by Cisco that works with the 340, but there is a cost for it, and I have to find a reseller, that seems strange to me.  I used the PPTP client on other RV's for years.  

I hear the 340 has IPSEC for remote clients, but can't verify that.

Question, can I connect a Windows or Mac client using the native IPSEc software to an RV340?

Thanks All.
Hi, what is the correct way to tell vyatta the ports on an ipsec, we have to connect to a host that listens on two ports, is it done with space? comma seperated?

Example below:

tunnel 11 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group Our-Group-Their-Group-ESP
                    local {
                        prefix x.x.x.x/32
                    remote {
                        port 7007,9005 (seperate by comma? Space? Dash?)
                        prefix x.x.x.x/32

Open in new window

Which one is correct statement when comparing IKEv2 and IKEv1 ?

a. IKEv2 is more secure by requiring reauthentication for IKE SA.
b. IKEv2 is more reliable by requiring all messages to be acknowledged

Any suggestions ?

We are trying to authenticate from a Cisco ASA firewall with our Domain Controller that is hosted in Azure over a site to site VPN connection.  We have this working fine from the ASA to our on premise DCs using IPSec VPN.

Azure support have said we should add a rule on the NSG to allow this traffic through (they have tweaked it too) but does not work.  It times out on the firewall console (this is externally managed).

LDAP connection over the site to site VPNs to the DC works fine using LDAP.exe and i can bind to it.  

We are having loads of trouble configuring a Site2Site VPN with a pair of Watchguard T35 firewalls.
Neither is configured pretty much outside of the initial setup wizard.
The current site 2 site vpn is stock from the vpn configuration guide from Watchguard.

We tried a number of different configs, but have currently deleted them to restart fresh.
Also we are trying to set the connection to initiate from SiteB to SiteA just to limit randomness, but can set bidirection or SiteA to SiteB as initiator.  Doesn't really matter to us

My theories may be off, so I'll just throw out the logs from each to see what you may think is happening.

Thank you in advance.

Site A
*** WG Diagnostic Report for Gateway "AA-to-TC-Gateway" ***
Created On: Tue Oct 29 09:22:49 2019

	Error Messages for Gateway Endpoint #1(name "AA-to-TC-Gateway")
		        Oct 29 09:22:35 2019 ERROR  0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.

[Gateway Summary]
	Gateway "AA-to-TC-Gateway" contains "1" gateway endpoint(s). IKE Version is IKEv1.
	  Gateway Endpoint #1 (name "AA-to-TC-Gateway") Enabled
		Mode: Main
		PFS: Disabled 	AlwaysUp: Disabled
		DPD: Enabled 	Keepalive: Disabled
		Local ID<->Remote ID: {IP_ADDR(A.A.A.A) <-> IP_ADDR(B.B.B.B)}
		Local GW_IP<->Remote GW_IP: {A.A.A.A <-> B.B.B.B}
		Outgoing Interface: eth0 (ifIndex=4)
			linkStatus=0 (0:unknown, 1:down, 2:up)
		Stored user messages:

Open in new window

I have two sites connected by a IPSec VPN.  I have conditional forwarders at each site for the other site so I can resolve computer names using the FQDN.  I can ping and resolve between the two sites.

At site one, I have about 50 Hyper-V hosts and they all live in Hyper-V manager on my management PC.  These hosts are managing a domain there at site 1.

At site two, I have about 25 hosts and they live in Hyper-V manager on my management PC at site 2.  The hosts in site 2 are not on a domain.  The hosts are standalone.

Thinking myself clever, I decided to add the hosts from site 2 to the site 1 Hyper-V manager.  It's not working, even when I try "manage as" so I was wondering is it's even doable....adding workgroup based servers to a Hyper-V manager that manages hosts on a domain.

I was thinking that they are just Hyper-V hosts and they should add just fine, but I'm not finding that to be the case.


It's not working.

OH yeah, site 1 hosts are all 2012 R2 and site 2 hosts are all 2016.  I'm adding to windows 10 enterprise machines.  On MS site, they say that should work.,

I am using Application  WARP apps in iPhone.  I just got this message; do any expert knows what it means? Help please.

Warp message
IP conflict in 2 of 8 security cameras recently added of the OOSSXX type.  How to fix. All 8 are remotely viewable but the 2 conflicting cameras show the images shared and flipping between their two images. Windows 10 pro PCs and Apple in use. please advise easy, best way to resolve the IP conflicts. Thanks tons
I wanted to test and eventually use our router's (PepLink Balance One) build in VPN server to access resources on the network for users.
After setting up the VPN server (in the router the feature is called Remote User Access) I choose L2TP with IPsec.
On the client side I used the Windows 10 built in VPN Connection option and after a few tweakings I succeeded in connecting to the server from an outside network.
The problem is that I could only connect to one share, using the file server's internal IP address 192.168.0.x. Cannot access (or ping) anything by the NetBIOS name.
Next step I changed the protocol to PPTP on the server and managed to connect with the client, however still not able to access resources, except by IP address \\<Internal IP address>\Share.
Just as a side note, we don't have a domain, just peer to peer.
We have a site to site VPN tunnel which has been performing well for 4 years.  We are seeing increased traffic this week and are seeing select devices unable to reliably access the tunnel for periods of several minutes to several hours while other devices are able to connect across the tunnel.

The VPN tunnel is used to access a terminal server in a remote site using handheld computers running Windows CE.  We typcially have 12 devices deployed.  Currently we have 18 devices deployed for a 2 week project.

We are seeing that during peak times (more users connected to the RDP server) select devices will be unable to connect.  Pings from the affected device will range from 100% loss to 0%.  The ping failure rate fluctuates.  Users may sometimes connect to the RDP server for a few minutes before being disconnected again.

This problem seems to last between 10 - 120 minutes.

I have taken packet captures at the ASA and see that both ICMP and RDP packets are arriving on the inside interface - the portable computer having the problem is transmitting correctly.

My problem is how do I ensure the ASA is encapsulating these packets and sending them out the Outside interface reliably.  I have taken packet captures on the outside interface but do not know of a way to match these encapsulated packets up to those originating from the problem computer.

I have reviewed: Show crypto ipsec sa

 #pkts encaps: 9228711, #pkts encrypt: 9228711, #pkts digest: 9228711

Open in new window

I've just bought a DrayTek Vigor2620Ln (ADSL/VDSL router/firewall with backup WAN port and 4G LTE modem built in - UK version)

I want to be able to create a site-to-site (or LAN to LAN in DrayTek's terminology) VPN via an IPSec tunnel to a Netgear ProSafe firewall I have running at another site. Simultaneously I want to be able to access a L2TP VPN Server running on Windows 2012 RRAS (behind the DrayTek at primary site), via passthrough when I'm out and about.

Having created the site-to-site VPN with a few issues along the way, I have got it working. I have also got the L2TP VPN passthrough working so I can connect from my Windows laptop when away from the main network. HOWEVER, it seems impossible to get both working at the same time. For the site-to-site to work, I have to tick the 'Enable IPSec VPN Service' under the Remote Access Control settings on the Draytek. But once I do this, passthrough of the L2TP Windows VPN fails. If I untick, it is the other way around with the Site-to-site failing and the L2TP passthrough working.

I suspect someone out there will confirm DrayTek routers simply cannot both have a site to site and L2TP passthrough connection connected simultaneously (I momentarily achieved it once, on initial bootup). I appreciate both VPN types use IPSec, however every single Netgear and Linksys router I've owned and used to date has been able to do both simultaneously with zero problems. I'm hopeful I'm missing something, but fear I'm not and the …
hi both on same asa firewall - remote access vpn already in place

can i also add site to site  vpn? thanks
I have 13 IPSec VPNs that are set up and working on a VMWare NSX Edge. The remote sites are all Sophos XG Firewalls. They used to connect to a Sophos firewall. In the earlier scenario, there was a VPN to VPN rule that joined all the Sophos IP Sec connections together in a hub and spoke network design. One could see devices between Atlanta to Orlando, for example.

Now I have them all connected successfully to the VMWare NSX Edge firewall. I have 2 rules for each location on the NSX.  For example, NSX to Atlanta and the reciprocal Atlanta to NSX.

I'd like for traffic to be seen from one location, like Atlanta, through the NSX Edge to Orlando.
On each Sophos connection to the Edge, I've added the remote networks I'd like to add to the Edge connection.  
In the previous all Sophos configuration, at the "hub" Sophos, a rule of VPN to VPN was in place to make this happen.
But I think I'm missing something on the NSX Edge to allow for Atlanta to "see" Orlando.

I have added reciprocal rules of Atlanta to Orlando and vice versa on the NSX but that is not working.
We have a VPN IP SEC between to ASA, the VPN works fine, but it loses connection a lot of times in a day, the underground network looks fine.

When we check log we find this message:
%ASA-session-7-710006: ESP request discarded from X TO Y
(you can check all the logs in the attached file)

Can you tell me what exactly this message means and how the problem can be fixed?
Hi Expert

good day

i having issue to export the IPSEC certifcation , i have try to follow the following steps;

# pk12util -o <certoutputname>.pfx -n <name of certifcate to be extracted> -d sql:/etc/ipsec.d
Enter password for PKCS12 file:
Re-enter password:

Question refer to the above, where can i find "<certoutputname.pfx>" and <name of certifcate to be extracted> ?

Many thanks
In a conversation in a get together last night, it was stated that if an outside person illegally connects to ones internet cable line (that is cut and attach to main line that connects to ones’  home), will be able to see everything one navigate to.  I understand that it doesn’t work like, by connecting to ones Wi-Fi they can spy on one, etc.   But the person said a bunch of tech words so I wanted to know what EE has to say.  Can a person by connecting to ones cable line have access to ones web access and see all?

Thank u.
I really dislike the json way to handle multiple public IPs on USG. The edgerouter has much more friendlier use with multiple IPs but the USG has more security features I'm into for my clients.  What is the best way to set up a ipsec site to site from outside to reach any of the USGPRO LAN# spaces when it sits behind another router (ER6P)

Site1 ---> ER6P (Internet) eth0 --- eth1 ----> USGPRO WAN --- LAN1
Site2 ---> ER6P (Internet) eth0 --- eth1 ----> USGPRO WAN --- LAN1

Currently right now I'm seeing the USGPRO WAN ( or when sourcing on either end of the tunnel instead of the real IP from their LAN#.  That not's good when needing to restrict IP's with multiple ipsec tunnels.

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security