[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Internet (ISP) ----> CISCO 891 ----> Ubuntu Server [Another Country/City] (IPSec or smthing) ------]
                                                                                       Internet (ISP) <------ CISCO 891 <---------------------]

Can i configure the my home CISCO router to connect to another VPN Server and give access to my home computers to the internet from this Server?
0
Challenges in Government Cyber Security
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Hello,
how I can know the imo and botim server block so I can blocked under my firewall ?
thanks.
0
Hi,

I have a problem to establish call session between two sites over gre tunnel ipsec. The tunnel is up but I am Unable to set a call. I think the problem is Nat but I don't know how to fix it.  It's seems like the traffic were blocked in the beginning of the tunnel.

You can see the configuration files in attached.

 

Best Regards,

 

Aristide
0
Dear expert,

I have bought a Samsung smart TV. I am looking for trusted and secure IPTV to install it. And secure IPTV vendor including Bein Sport, OSN, US channels, UK BBC...etc

a friend of mine advice me to install KODI but it is showing on the samsung store.

Thank you in advance.
0
All of a sudden last Friday, users have started having problems accessing some secured (banking, CC processing) sites & I'm not finding any indicators as to why.
I'm running a sonicwall TZ 300 & can't seem to find any info in any log files that would point me in the right direction. when going to certain sites, I just get a waiting for site message on tab & page never loads.
any suggestions?
0
We have 5 site's.  4 are using a Cisco RV320 router and the 5th is using a Secure Computing router.
They each have a hardware VPN Tunnel to Rogers Hosted Servers.  This provides the end user's access to an application on their network that is crucial to running their business.

Rogers is changing the WAN IP.  Therefore, we have to change each site's Router's VPN Remote WAN IP so the VPN continues to function.  
Once the IP's are changed, the VPN comes back up and connection between both end's is established.  However, we can no longer ping behind the LAN on Roger's end over the VPN tunnel therefore can no longer access the required application via the VPN Tunnel.

Roger's believes this is a setup issue on our end, however, nothing has changed except the Remote WAN IP on the VPN Tunnel to their side.  This has also been tested on 4 of the 5 sites.  3 of them Cisco RV320's and 1 Secure Computing Router.  No changes have taken place in the LAN or WAN at these site's either.

The VPN policy being used is as follows:

Key mode:
IKE with Preshared key

Local Group Setup:  
Defines the local site WAN IP and local Subnet

Remote Group Setup:
Defines the remote site WAN IP and the remote LAN Subnet

IPSec Setup:
Phase 1 DH: Group 2 - 1024 bit
PHase 1 Encrypt: 3DES
Phase 1 Auth: SHA1
Phase 1 Lifetime: 86400
Perfect forward secrecy: NA
Phase 2: Encrypt: 3DES
Phase 2: SHA1
Phase 2 Ligrtime: 3600

Additional Settings:
Keep-Alive Enabled
Dead Peer Detection …
0
Hello All,

A little help and advice needed please -

I am setting up a Site-to-Site VPN connection between a Cisco ASA and a TP Link ER6120 (I know don't ask). Any way phase 1 IKE keeps failing when I initiate from the ASA side.

I get MM_Active when responding to the TP Link however when initiating from ASA side it changes to MM_Wait_msg2 and MM_Wait_msg6. I have confirmed multiple times that the timers and PSK are the same both sides and that the encryption matches. Even when MM_Active as responder the IPSEC tunnel does not form.

Running a debug on crypto isakmp on the ASA I get the following -

Removing peer from correlator table failed, no match!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Lost Service
[IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: Group =x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

Am I missing something obvious here? Any help would be appreciated?
0
It seems that the documentation about IPsec/IKE setup on an SRX to Azure s2s VPN is conflicting.  There are 3 pain points:

1.  Can IPsec/IKE be used on a policy-based VPN for Azure? It seems that Azure is clear about "no" but the suggested Azure config includes IPsec & IKE config
2.  Which IKE version is best for SRX to Azure - v1 or v2, when using Policy Based or Route-Based VPN? (see attachment)
3.  If a trust sec zone (internal interf.) and an unstrust sec. zone (exter. interf.) already exists, how can I add interfaces that are in one of those zones already to a new "Internal & Internet Zone" for the Azure VPN Tunnel as documentation suggests?  I receive an SRX error about adding interfaces to multiple zones prohibited and if using PB VPN there is no st0.x to that config and/or I don't understand how to utilize or place the traditional interface under the st0.x iface.

SRX ERROR:

commit check
[edit security zones security-zone Internal]
  'interfaces ge-0/0/1.0'
    Interface ge-0/0/1.0 already assigned to another zone
error: configuration check-out failed



I found this on Azure's site - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

Azure IKE Doc found on Azure Site
Azure States no IPsec for Policy-Based
Azure IKE Doc found on Azure Sitejuniper-no-ikev2.png
0
good morning, i face a big problem with configuration (IP telephone Cisco 7962g) from tow days ago i think my problem in my file .cnf.xml after i register it i can't change phone name and when i change  it  became not register and give me log message can't update local please help me
0
I have a CISCO RV320 and I need to configure an IPSEC client on a MAC. I have tried SHIMO, and the MAC native VPN configuration, however I cant seem to make it connect. I have not been able to find the CISCO EASYVPN software for MAC since CISCO has discontinued the software support. Any thoughts?

Dan
0
Defend Against the Q2 Top Security Threats
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

I have an ASA 5512 with about a dozen site to site tunnels set up.  Several times a week some of the tunnels will all drop at once.  there doesn't seem to be rhyme or reason to it.  I would expect if it was an ISP issue ALL of the tunnels would drop.  In the logs it will have the reason as "Administrator reset".  I've checked time out values and they all are set to default as far as I can tell.  My Cisco experience is limited but I can provide info as needed.
0
Hi,
Is there any programming examples, showing the way to detect which area it is, per given IP (Worldwide IP)?
0
Experts,
I am having an issue with one user who is unable to browse to a site over VPN. Instead of going to the address specified, it brings up google search list for the address. Without VPN user is able to browse to the site. Any suggestions or ideas?
0
Hello,

We have a cisco 5510 asa.  interfaces outside and outside2 are for wan.  We have a failover setup where if outside goes down outside2 comes up.  We also have site to site vpn setup, and for outside2 interface to  renegotiate with our other site automatically.

The issue we are having is that once or twice a day our main wan (interface outside)  looses site to site vpn with our other office.  Internet stays up but the tunnel breaks.  When we put it on our backup wan (interface outside2) everything runs fine.  

I have to manually disable the interface outside then re enable the interface and then site to site starts to work.  I have already spoken to our isp and they didnt find any issues.  I have also swapped with a space 5510 and still the same issue.  I have attached copy of the configuration.  Please help
ciscoconfiguration.txt
0
So I am trying to get a new VPN solution up and running here, using a Draytek 3900 router.
The clients connect using the built-in VPN client on W10

I would like the set-up to work in such a way that when a user tries to connect to the VPN, our on-prem AD is checked to confirm that the user is a member of the relevant group.
The client should also be set up to receive a DHCP address from the same on-prem domain controller.

So far, I can make the following work:

User account set up on the Draytek, I can get DHCP to work and assign the client laptop an address on the local network correctly.
Trying to use LDAP to query the AD, log files show (I think) that AD is queried and approves the user, but no DHCP address is given.

I cannot see anything wrong with the settings, could really use some assistance from anyone who knows Drayteks better than me or has the same setup and can compare settings!

Thanks in advance for any assistance
0
Cisco RV320 to RV320 Gateway to Gateway

Config is fine tunnel never connect

Site A Log

2018-04-09, 22:15:45      VPN Log      [g2gips0] #1: [Tunnel Established] sent MR3, ISAKMP SA established
2018-04-09, 22:15:45      VPN Log      [g2gips0]: cmd=up-client peer=79.173.X.X peer_client=192.168.2.0/24 peer_client_net=192.168.2.0 peer_client_mask=255.255.255.0
2018-04-09, 22:15:45      VPN Log      ip route add 192.168.2.0/24 via 10.50.253.15 dev ppp1 metric 35
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn_postrouting -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn_postrouting -o eth0 -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      [g2gips0] #2: [Tunnel Established] IPsec SA established {ESP=>0xc9f16ce4 < 0xcb1f6958 AH=>0xc4790703 < 0xc9d7ed2c}
2018-04-09, 22:15:45      VPN Log      [g2gips0]: cmd=down-client peer=79.173.X.X peer_client=192.168.2.0/24 peer_client_net=192.168.2.0 peer_client_mask=255.255.255.0
2018-04-09, 22:15:45      VPN Log      ip route del 192.168.2.0/24 via 10.50.253.15 dev ppp1 metric 35
2018-04-09, 22:15:45      VPN Log      iptables -t nat -D vpn -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -D vpn -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      …
0
Hi Guys and Gals,

I have a problem that I am banging my head and can't seem to get work.

I have 2 locations
Location 1
IP 10.10.10.0/24

Location 2
IP 20.20.20.0/24

There is a Site to Site IPSec VPN connection between them with all ports wide open..Location 1 has the active directory domain server for MYDOMAIN.com...I want to add a second server at location 2 as a domain server as well, but I can't get it to find the domain.  The server in location 2 has the AD DNS server in Location 1 as the DNS server and I can ping the domain without problem but when I go to join the domain it camn't find the domain controller it says...all ports are open so I am lost...HELP!!!!
0
Hi All

This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel

Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site

The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances

Any help or suggestions on this would be greatly appreciated
0
I have an IPSec VPN tunnel going between a main office and a home office (Cisco router at the main office end and Draytek at the home office end).  I am wanting the user to be able to log into the Terminal Server down the tunnel from home to the main office.  From her computer I can RDP to any other server but I can't RDP to the Terminal server.  It gets stuck on 'Securing remote Connection' after entering the credentials for up to 2 mins before eventually erroring out with a non-descript general 'Can't connect' error.  We've tried on a different laptop (Win 10 vs Win7, and wired and wireless) and have replaced the home office router with another model Draytek but the issue has remained the same.

After A LOT of googling and a little bit of Wiresharking, and trial and error I think the issue is down to MTU issues but I'm not an expert in this field and I'm trying to learn all I can.

My testing with 'ping -f -l' I've found:
  • Terminal Server at the main office can ping with a limit of 1472 to the router at the main office and out to Google (4.2.2.2)
  • Terminal Server cannot ping the home office router at 1472 - its too big.  I cut it down to 1400 and the first ping timed out and then was too big
  • On the laptop at the home office end I can ping with a limit of 1472 to the home office router, to Google, AND to the router at the main office end.

Another interesting and likely related symptom is…
0
Redefine Your Security with AI & Machine Learning
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

I built LAN to LAN vpn between two company , both ASA5510 , but when I finished configuring , I do ' show crypto isakmp sa ' ,
then deploy  'there are no isakmp' ,
when I do ' packet-tracer input inside tcp 10.99.4.12 80 10.120.1.4 80' , the vpn tunnel could up successful , and ‘show crypto isakmp sa ' has some content :
1   IKE Peer: a.a.a.a
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE    

and two company could access each other , but an strange  thing appeared , after 10 minutes , the vpn tunnel was drop  ,  'there are no isakmp' appeared again ,  I could not do packet tracer every 10 minutes , another method ,  I use a server to ping opposite server all the time , the tunnel won't drop .

here is configuration :
asa5510 A:
access-list QM-test extended permit ip 10.99.4.0 255.255.255.0 10.120.1.0 255.255.255.0
access-list acl_nat0 extended permit ip 10.99.4.0 255.255.255.0 10.120.1.0 255.255.255.0
nat (inside) 0 access-list acl_nat0
crypto ipsec transform-set test-QM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address QM-test
crypto map mymap 10 set peer a.a.a.a
crypto map mymap 10 set transform-set test-QM
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash…
0
I have been trying to work with Sonicwall support on this issue and have made no progress.  We have been using the appliance in the past with split tunnel enabled but, due to security requirements, we can no longer allow split tunnel.  If we turn it off,  remote users can access internal resources we have configured, but cannot access anything on the Internet. It seems that we need to create a resource which is "anything" on the Internet but we don't know how to do that. We don't see any kind of wild card options.  We have not given our users access to "Any" resource.  We need to specifically define the resource they have access to.  We need an "Internet" resource and then we can give them access to that.  Is this possible.  Or, is there some other way to approach this?

Sonicwall support had us upgrade the firmware to 11.40-468 with the 708 hotfixes but that did not create an options for resolving this requirement.
0
i have 2 ubuntu servers on in home and one on a remote server and both are running ubuntu server 16.04

i followed this guide to install and configure strongswan https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html

it worked fine on my localserver but not on the remote server even when accessing the my localserver remotely it works just fine

i am stuck .. im not sure what i am doing wrong .. hoping someone on here can help- my host says that my ubuntu install is mostly* stock with little to no mods - though ive noticed some file permissions where changed

https://imlost.me/server.txt https://imlost.me/client.txt
0
Hello, I started to configure a PFSense, version 2.4.1. I want to know if it is possible to configure an IPsec multi-WAN failover

Has anyone had any experience configuring this? I already configured the DUAL WAN Failover on the PFSense

I would like that the VPN tunnel can be able to stay up if the WAN fails over.

Thanks in advance
0
Hi All,

We have two Cisco ASA 5505 Firewalls that are running a site to site VPN, one is in China the other is in the UK. The China ASA is the initiator.

This isn't something I set up it was something that was set up years ago and it has been working perfectly until about 6 weeks ago when one day it just stopped. If I try to ping a host from China to Manchester I can see MM_WAIT_MSG2 on the China ASA and MM_WAIT_MSG3 on the UK side but it never gets any further.

No config was changed it simply stopped working one day. I'm fairly new to Cisco. I could see that the time was out on the China side so I corrected this without success. Below is a snippet from each ASA that I think is relevant to the VPN. Can anyone offer any suggestions?

----- China ------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 195.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200

------ UK --------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 202.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 …
0
We have multiple branches and sites that are connected to main Data Centre. As for now the WAN is protected (traffic is encrypted via IPSec). Objective: I want to make sure that all traffic when it leave the host is also encrypted. There should be no gap (un-encrypted data in motion) regardless within the LAN or WAN.
The concerns from the network engineer, is that if we implement Host to Host IPSec, it will be a tunnel within tunnel. It will decrease network performance.
How do we ensure all the traffic are encrypted? Any other available solutions?
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>