[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Inherited a Cisco ASA and I have an IPSec tunnel configured and working great, however, I am trying to figure out which hosts are using this tunnel

Since the tunnel is encrypted, I can not seem to capture any packets

I see the peer ip for the tunnel, and the destination being the outside public ip of the ASA,  it need to the the host that is initiating this tunnel

Appreciate any insights, thanks
0
Cloud as a Security Delivery Platform for MSSPs
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

Cisco IPSec tunnel need to find out who is the final destination of a file copy through the tunnel
packet capture won’t show me the true destination host. I see the peer ip and destination is the public ip of the asa

Example user initiates a copy through the tunnel I am trying to identify which host is initiating this copy
0
Looking for a good detailed survey of SDWANs that are available and procedures how to deploy each,
If I have a worldwide client base and I need my staff to access customers' data centers privately, how do I pick the right SDWAN solution, and how to do I migrate to them?
0
We have an IP sec tunnel setup between two locations, Once side is Cisco and the other a Fortigate. The ACL is setup to allow all traffic between the two locations. Most traffic does work but we found we are unable to pass SSH traffic through. We can see the SSH traffic leaving the Fortigate.  We have no problem connecting with SSH through the NAT statements on teh Cisco, so we know its the tunnel that is causing this. What am I missing?

crypto map chi-map 10 ipsec-isakmp
 description Tunnel to Chicago office
 set peer 99.99.99.99
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 43200
 set transform-set chi-ipsec
 set pfs group20
 match address 100
 reverse-route


access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.22.0 0.0.0.255
0
Working to establish IPsec Site-to-Site VPN, the local network is 192.168.0.x behind a Cisco RV130W and far end has a Cisco NSA 2600 and also has a pre-existing VPN with the 192.168.0.x subnet. The tunnel needs to support a single host on each end.

Is it possible to assign a 2nd IP Address to the PC in my network, say 10.10.20.2, and use this for the VPN?
0
Morning, I am trying to setup a Windows 2016 VPN via LT2P but keep getting the below error.
Anyone know what I can do to fix it?

During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Local Network Address:      172.16.0.139
Remote Network Address:      172.16.66.10
Keying Module Name:      IKEv1
0
Internet (ISP) ----> CISCO 891 ----> Ubuntu Server [Another Country/City] (IPSec or smthing) ------]
                                                                                       Internet (ISP) <------ CISCO 891 <---------------------]

Can i configure the my home CISCO router to connect to another VPN Server and give access to my home computers to the internet from this Server?
0
Has been almost a year that I switch to Auth0 in order to manage my customer's access to the dashboard of my application. Nowadays I need to implement access for a RESTFULL API.

If I follow the instructions in order to secure the NodeJS app using JWT it works like a charm. The issue is that I am not properly sure on the implementation for the end user in order to get the token needed for access this API.

I thought of creating the tokens on the dashboard or just use a server side implementation for the login/authentication. I did the last using the access to my own database before and worker amazingly. My issue is that I am not completely sure on how to do it for the end user using Auth0.

Would be great if you can guide me in order to implement the login/authentication side of the API using auth0 and nodejs.
0
Hello,
how I can know the imo and botim server block so I can blocked under my firewall ?
thanks.
0
Hi,

I have a problem to establish call session between two sites over gre tunnel ipsec. The tunnel is up but I am Unable to set a call. I think the problem is Nat but I don't know how to fix it.  It's seems like the traffic were blocked in the beginning of the tunnel.

You can see the configuration files in attached.

 

Best Regards,

 

Aristide
0
SD-WAN: Making It Work for You
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

Dear expert,

I have bought a Samsung smart TV. I am looking for trusted and secure IPTV to install it. And secure IPTV vendor including Bein Sport, OSN, US channels, UK BBC...etc

a friend of mine advice me to install KODI but it is showing on the samsung store.

Thank you in advance.
0
All of a sudden last Friday, users have started having problems accessing some secured (banking, CC processing) sites & I'm not finding any indicators as to why.
I'm running a sonicwall TZ 300 & can't seem to find any info in any log files that would point me in the right direction. when going to certain sites, I just get a waiting for site message on tab & page never loads.
any suggestions?
0
We have 5 site's.  4 are using a Cisco RV320 router and the 5th is using a Secure Computing router.
They each have a hardware VPN Tunnel to Rogers Hosted Servers.  This provides the end user's access to an application on their network that is crucial to running their business.

Rogers is changing the WAN IP.  Therefore, we have to change each site's Router's VPN Remote WAN IP so the VPN continues to function.  
Once the IP's are changed, the VPN comes back up and connection between both end's is established.  However, we can no longer ping behind the LAN on Roger's end over the VPN tunnel therefore can no longer access the required application via the VPN Tunnel.

Roger's believes this is a setup issue on our end, however, nothing has changed except the Remote WAN IP on the VPN Tunnel to their side.  This has also been tested on 4 of the 5 sites.  3 of them Cisco RV320's and 1 Secure Computing Router.  No changes have taken place in the LAN or WAN at these site's either.

The VPN policy being used is as follows:

Key mode:
IKE with Preshared key

Local Group Setup:  
Defines the local site WAN IP and local Subnet

Remote Group Setup:
Defines the remote site WAN IP and the remote LAN Subnet

IPSec Setup:
Phase 1 DH: Group 2 - 1024 bit
PHase 1 Encrypt: 3DES
Phase 1 Auth: SHA1
Phase 1 Lifetime: 86400
Perfect forward secrecy: NA
Phase 2: Encrypt: 3DES
Phase 2: SHA1
Phase 2 Ligrtime: 3600

Additional Settings:
Keep-Alive Enabled
Dead Peer Detection …
0
Hello All,

A little help and advice needed please -

I am setting up a Site-to-Site VPN connection between a Cisco ASA and a TP Link ER6120 (I know don't ask). Any way phase 1 IKE keeps failing when I initiate from the ASA side.

I get MM_Active when responding to the TP Link however when initiating from ASA side it changes to MM_Wait_msg2 and MM_Wait_msg6. I have confirmed multiple times that the timers and PSK are the same both sides and that the encryption matches. Even when MM_Active as responder the IPSEC tunnel does not form.

Running a debug on crypto isakmp on the ASA I get the following -

Removing peer from correlator table failed, no match!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Lost Service
[IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: Group =x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

Am I missing something obvious here? Any help would be appreciated?
0
It seems that the documentation about IPsec/IKE setup on an SRX to Azure s2s VPN is conflicting.  There are 3 pain points:

1.  Can IPsec/IKE be used on a policy-based VPN for Azure? It seems that Azure is clear about "no" but the suggested Azure config includes IPsec & IKE config
2.  Which IKE version is best for SRX to Azure - v1 or v2, when using Policy Based or Route-Based VPN? (see attachment)
3.  If a trust sec zone (internal interf.) and an unstrust sec. zone (exter. interf.) already exists, how can I add interfaces that are in one of those zones already to a new "Internal & Internet Zone" for the Azure VPN Tunnel as documentation suggests?  I receive an SRX error about adding interfaces to multiple zones prohibited and if using PB VPN there is no st0.x to that config and/or I don't understand how to utilize or place the traditional interface under the st0.x iface.

SRX ERROR:

commit check
[edit security zones security-zone Internal]
  'interfaces ge-0/0/1.0'
    Interface ge-0/0/1.0 already assigned to another zone
error: configuration check-out failed



I found this on Azure's site - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

Azure IKE Doc found on Azure Site
Azure States no IPsec for Policy-Based
Azure IKE Doc found on Azure Sitejuniper-no-ikev2.png
0
good morning, i face a big problem with configuration (IP telephone Cisco 7962g) from tow days ago i think my problem in my file .cnf.xml after i register it i can't change phone name and when i change  it  became not register and give me log message can't update local please help me
0
I have a CISCO RV320 and I need to configure an IPSEC client on a MAC. I have tried SHIMO, and the MAC native VPN configuration, however I cant seem to make it connect. I have not been able to find the CISCO EASYVPN software for MAC since CISCO has discontinued the software support. Any thoughts?

Dan
0
I have an ASA 5512 with about a dozen site to site tunnels set up.  Several times a week some of the tunnels will all drop at once.  there doesn't seem to be rhyme or reason to it.  I would expect if it was an ISP issue ALL of the tunnels would drop.  In the logs it will have the reason as "Administrator reset".  I've checked time out values and they all are set to default as far as I can tell.  My Cisco experience is limited but I can provide info as needed.
0
Hi,
Is there any programming examples, showing the way to detect which area it is, per given IP (Worldwide IP)?
0
Angular Fundamentals
LVL 12
Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Experts,
I am having an issue with one user who is unable to browse to a site over VPN. Instead of going to the address specified, it brings up google search list for the address. Without VPN user is able to browse to the site. Any suggestions or ideas?
0
Hello,

We have a cisco 5510 asa.  interfaces outside and outside2 are for wan.  We have a failover setup where if outside goes down outside2 comes up.  We also have site to site vpn setup, and for outside2 interface to  renegotiate with our other site automatically.

The issue we are having is that once or twice a day our main wan (interface outside)  looses site to site vpn with our other office.  Internet stays up but the tunnel breaks.  When we put it on our backup wan (interface outside2) everything runs fine.  

I have to manually disable the interface outside then re enable the interface and then site to site starts to work.  I have already spoken to our isp and they didnt find any issues.  I have also swapped with a space 5510 and still the same issue.  I have attached copy of the configuration.  Please help
ciscoconfiguration.txt
0
So I am trying to get a new VPN solution up and running here, using a Draytek 3900 router.
The clients connect using the built-in VPN client on W10

I would like the set-up to work in such a way that when a user tries to connect to the VPN, our on-prem AD is checked to confirm that the user is a member of the relevant group.
The client should also be set up to receive a DHCP address from the same on-prem domain controller.

So far, I can make the following work:

User account set up on the Draytek, I can get DHCP to work and assign the client laptop an address on the local network correctly.
Trying to use LDAP to query the AD, log files show (I think) that AD is queried and approves the user, but no DHCP address is given.

I cannot see anything wrong with the settings, could really use some assistance from anyone who knows Drayteks better than me or has the same setup and can compare settings!

Thanks in advance for any assistance
0
Cisco RV320 to RV320 Gateway to Gateway

Config is fine tunnel never connect

Site A Log

2018-04-09, 22:15:45      VPN Log      [g2gips0] #1: [Tunnel Established] sent MR3, ISAKMP SA established
2018-04-09, 22:15:45      VPN Log      [g2gips0]: cmd=up-client peer=79.173.X.X peer_client=192.168.2.0/24 peer_client_net=192.168.2.0 peer_client_mask=255.255.255.0
2018-04-09, 22:15:45      VPN Log      ip route add 192.168.2.0/24 via 10.50.253.15 dev ppp1 metric 35
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn_postrouting -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn_postrouting -o eth0 -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      [g2gips0] #2: [Tunnel Established] IPsec SA established {ESP=>0xc9f16ce4 < 0xcb1f6958 AH=>0xc4790703 < 0xc9d7ed2c}
2018-04-09, 22:15:45      VPN Log      [g2gips0]: cmd=down-client peer=79.173.X.X peer_client=192.168.2.0/24 peer_client_net=192.168.2.0 peer_client_mask=255.255.255.0
2018-04-09, 22:15:45      VPN Log      ip route del 192.168.2.0/24 via 10.50.253.15 dev ppp1 metric 35
2018-04-09, 22:15:45      VPN Log      iptables -t nat -D vpn -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -D vpn -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      …
0
Hi Guys and Gals,

I have a problem that I am banging my head and can't seem to get work.

I have 2 locations
Location 1
IP 10.10.10.0/24

Location 2
IP 20.20.20.0/24

There is a Site to Site IPSec VPN connection between them with all ports wide open..Location 1 has the active directory domain server for MYDOMAIN.com...I want to add a second server at location 2 as a domain server as well, but I can't get it to find the domain.  The server in location 2 has the AD DNS server in Location 1 as the DNS server and I can ping the domain without problem but when I go to join the domain it camn't find the domain controller it says...all ports are open so I am lost...HELP!!!!
0
Hi All

This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel

Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site

The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances

Any help or suggestions on this would be greatly appreciated
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.