Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

how to setup IPsec VPN between Mikrotik and Fortigate routers
0
Cloud Class® Course: Microsoft Office 2010
LVL 12
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

We have 5 site's.  4 are using a Cisco RV320 router and the 5th is using a Secure Computing router.
They each have a hardware VPN Tunnel to Rogers Hosted Servers.  This provides the end user's access to an application on their network that is crucial to running their business.

Rogers is changing the WAN IP.  Therefore, we have to change each site's Router's VPN Remote WAN IP so the VPN continues to function.  
Once the IP's are changed, the VPN comes back up and connection between both end's is established.  However, we can no longer ping behind the LAN on Roger's end over the VPN tunnel therefore can no longer access the required application via the VPN Tunnel.

Roger's believes this is a setup issue on our end, however, nothing has changed except the Remote WAN IP on the VPN Tunnel to their side.  This has also been tested on 4 of the 5 sites.  3 of them Cisco RV320's and 1 Secure Computing Router.  No changes have taken place in the LAN or WAN at these site's either.

The VPN policy being used is as follows:

Key mode:
IKE with Preshared key

Local Group Setup:  
Defines the local site WAN IP and local Subnet

Remote Group Setup:
Defines the remote site WAN IP and the remote LAN Subnet

IPSec Setup:
Phase 1 DH: Group 2 - 1024 bit
PHase 1 Encrypt: 3DES
Phase 1 Auth: SHA1
Phase 1 Lifetime: 86400
Perfect forward secrecy: NA
Phase 2: Encrypt: 3DES
Phase 2: SHA1
Phase 2 Ligrtime: 3600

Additional Settings:
Keep-Alive Enabled
Dead Peer Detection …
0
Hi Experts,

I am looking for a two-way authentication procedure in the attempt to protect one of our public facing website.

I would like to implement some type of two way authentication to add an additional layer of protect.


I am thing of the end users getting an email notification or some type of verification method.

Any thought or recommendations?

Thank you
0
Hello All,

A little help and advice needed please -

I am setting up a Site-to-Site VPN connection between a Cisco ASA and a TP Link ER6120 (I know don't ask). Any way phase 1 IKE keeps failing when I initiate from the ASA side.

I get MM_Active when responding to the TP Link however when initiating from ASA side it changes to MM_Wait_msg2 and MM_Wait_msg6. I have confirmed multiple times that the timers and PSK are the same both sides and that the encryption matches. Even when MM_Active as responder the IPSEC tunnel does not form.

Running a debug on crypto isakmp on the ASA I get the following -

Removing peer from correlator table failed, no match!
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Session is being torn down. Reason: Lost Service
[IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: Group =x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: IP = x.x.x.x, Header invalid, missing SA payload! (next payload = 4)
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed
[IKEv1]: Group = x.x.x.x, IP = x.x.x.x, Information Exchange processing failed

Am I missing something obvious here? Any help would be appreciated?
0
It seems that the documentation about IPsec/IKE setup on an SRX to Azure s2s VPN is conflicting.  There are 3 pain points:

1.  Can IPsec/IKE be used on a policy-based VPN for Azure? It seems that Azure is clear about "no" but the suggested Azure config includes IPsec & IKE config
2.  Which IKE version is best for SRX to Azure - v1 or v2, when using Policy Based or Route-Based VPN? (see attachment)
3.  If a trust sec zone (internal interf.) and an unstrust sec. zone (exter. interf.) already exists, how can I add interfaces that are in one of those zones already to a new "Internal & Internet Zone" for the Azure VPN Tunnel as documentation suggests?  I receive an SRX error about adding interfaces to multiple zones prohibited and if using PB VPN there is no st0.x to that config and/or I don't understand how to utilize or place the traditional interface under the st0.x iface.

SRX ERROR:

commit check
[edit security zones security-zone Internal]
  'interfaces ge-0/0/1.0'
    Interface ge-0/0/1.0 already assigned to another zone
error: configuration check-out failed



I found this on Azure's site - https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell

Azure IKE Doc found on Azure Site
Azure States no IPsec for Policy-Based
Azure IKE Doc found on Azure Sitejuniper-no-ikev2.png
0
We are facing a problem exchanging information in HL7 protocol in a standard environment listener\receiver.
Our application works fine on a plain network, get some errors on an ipsec vpn tunnel.
I'm not an expert, seems to be a problem related to packet fragmentation, any packets are truncated and cannot be managed.
this no happens on the same lan, so we are pointing to MTU or SECURITY CONTROL applied on vpn.
Can you help me ?
Sorry , i'm not providing many details, please ask me what you think is important..
Thanks
M
0
good morning, i face a big problem with configuration (IP telephone Cisco 7962g) from tow days ago i think my problem in my file .cnf.xml after i register it i can't change phone name and when i change  it  became not register and give me log message can't update local please help me
0
I have a CISCO RV320 and I need to configure an IPSEC client on a MAC. I have tried SHIMO, and the MAC native VPN configuration, however I cant seem to make it connect. I have not been able to find the CISCO EASYVPN software for MAC since CISCO has discontinued the software support. Any thoughts?

Dan
0
I have an ASA 5512 with about a dozen site to site tunnels set up.  Several times a week some of the tunnels will all drop at once.  there doesn't seem to be rhyme or reason to it.  I would expect if it was an ISP issue ALL of the tunnels would drop.  In the logs it will have the reason as "Administrator reset".  I've checked time out values and they all are set to default as far as I can tell.  My Cisco experience is limited but I can provide info as needed.
0
Hi,
Is there any programming examples, showing the way to detect which area it is, per given IP (Worldwide IP)?
0
WEBINAR: 10 Easy Ways to Lose a Password
LVL 1
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Experts,
I am having an issue with one user who is unable to browse to a site over VPN. Instead of going to the address specified, it brings up google search list for the address. Without VPN user is able to browse to the site. Any suggestions or ideas?
0
Hello,

We have a cisco 5510 asa.  interfaces outside and outside2 are for wan.  We have a failover setup where if outside goes down outside2 comes up.  We also have site to site vpn setup, and for outside2 interface to  renegotiate with our other site automatically.

The issue we are having is that once or twice a day our main wan (interface outside)  looses site to site vpn with our other office.  Internet stays up but the tunnel breaks.  When we put it on our backup wan (interface outside2) everything runs fine.  

I have to manually disable the interface outside then re enable the interface and then site to site starts to work.  I have already spoken to our isp and they didnt find any issues.  I have also swapped with a space 5510 and still the same issue.  I have attached copy of the configuration.  Please help
ciscoconfiguration.txt
0
So I am trying to get a new VPN solution up and running here, using a Draytek 3900 router.
The clients connect using the built-in VPN client on W10

I would like the set-up to work in such a way that when a user tries to connect to the VPN, our on-prem AD is checked to confirm that the user is a member of the relevant group.
The client should also be set up to receive a DHCP address from the same on-prem domain controller.

So far, I can make the following work:

User account set up on the Draytek, I can get DHCP to work and assign the client laptop an address on the local network correctly.
Trying to use LDAP to query the AD, log files show (I think) that AD is queried and approves the user, but no DHCP address is given.

I cannot see anything wrong with the settings, could really use some assistance from anyone who knows Drayteks better than me or has the same setup and can compare settings!

Thanks in advance for any assistance
0
Cisco RV320 to RV320 Gateway to Gateway

Config is fine tunnel never connect

Site A Log

2018-04-09, 22:15:45      VPN Log      [g2gips0] #1: [Tunnel Established] sent MR3, ISAKMP SA established
2018-04-09, 22:15:45      VPN Log      [g2gips0]: cmd=up-client peer=79.173.X.X peer_client=192.168.2.0/24 peer_client_net=192.168.2.0 peer_client_mask=255.255.255.0
2018-04-09, 22:15:45      VPN Log      ip route add 192.168.2.0/24 via 10.50.253.15 dev ppp1 metric 35
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn_postrouting -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -I vpn_postrouting -o eth0 -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      [g2gips0] #2: [Tunnel Established] IPsec SA established {ESP=>0xc9f16ce4 < 0xcb1f6958 AH=>0xc4790703 < 0xc9d7ed2c}
2018-04-09, 22:15:45      VPN Log      [g2gips0]: cmd=down-client peer=79.173.X.X peer_client=192.168.2.0/24 peer_client_net=192.168.2.0 peer_client_mask=255.255.255.0
2018-04-09, 22:15:45      VPN Log      ip route del 192.168.2.0/24 via 10.50.253.15 dev ppp1 metric 35
2018-04-09, 22:15:45      VPN Log      iptables -t nat -D vpn -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      iptables -t nat -D vpn -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
2018-04-09, 22:15:45      VPN Log      …
0
Hi Guys and Gals,

I have a problem that I am banging my head and can't seem to get work.

I have 2 locations
Location 1
IP 10.10.10.0/24

Location 2
IP 20.20.20.0/24

There is a Site to Site IPSec VPN connection between them with all ports wide open..Location 1 has the active directory domain server for MYDOMAIN.com...I want to add a second server at location 2 as a domain server as well, but I can't get it to find the domain.  The server in location 2 has the AD DNS server in Location 1 as the DNS server and I can ping the domain without problem but when I go to join the domain it camn't find the domain controller it says...all ports are open so I am lost...HELP!!!!
0
Hi All

This is not a question as such im looking for information ideas on how i can pass VLAN's across a ipsec VPN tunnel

Ive got 16 VLANS that is hosted at one site located a few hundred kilometers away from my secondary site and i want to be able to push the vlans from the main site to the secondary site and then be able to distriube those via a switch at the remote site

The sites currently will be connected via either Sonicwalls or WatchGuard UTM Appliances

Any help or suggestions on this would be greatly appreciated
0
I have an IPSec VPN tunnel going between a main office and a home office (Cisco router at the main office end and Draytek at the home office end).  I am wanting the user to be able to log into the Terminal Server down the tunnel from home to the main office.  From her computer I can RDP to any other server but I can't RDP to the Terminal server.  It gets stuck on 'Securing remote Connection' after entering the credentials for up to 2 mins before eventually erroring out with a non-descript general 'Can't connect' error.  We've tried on a different laptop (Win 10 vs Win7, and wired and wireless) and have replaced the home office router with another model Draytek but the issue has remained the same.

After A LOT of googling and a little bit of Wiresharking, and trial and error I think the issue is down to MTU issues but I'm not an expert in this field and I'm trying to learn all I can.

My testing with 'ping -f -l' I've found:
  • Terminal Server at the main office can ping with a limit of 1472 to the router at the main office and out to Google (4.2.2.2)
  • Terminal Server cannot ping the home office router at 1472 - its too big.  I cut it down to 1400 and the first ping timed out and then was too big
  • On the laptop at the home office end I can ping with a limit of 1472 to the home office router, to Google, AND to the router at the main office end.

Another interesting and likely related symptom is…
0
I built LAN to LAN vpn between two company , both ASA5510 , but when I finished configuring , I do ' show crypto isakmp sa ' ,
then deploy  'there are no isakmp' ,
when I do ' packet-tracer input inside tcp 10.99.4.12 80 10.120.1.4 80' , the vpn tunnel could up successful , and ‘show crypto isakmp sa ' has some content :
1   IKE Peer: a.a.a.a
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE    

and two company could access each other , but an strange  thing appeared , after 10 minutes , the vpn tunnel was drop  ,  'there are no isakmp' appeared again ,  I could not do packet tracer every 10 minutes , another method ,  I use a server to ping opposite server all the time , the tunnel won't drop .

here is configuration :
asa5510 A:
access-list QM-test extended permit ip 10.99.4.0 255.255.255.0 10.120.1.0 255.255.255.0
access-list acl_nat0 extended permit ip 10.99.4.0 255.255.255.0 10.120.1.0 255.255.255.0
nat (inside) 0 access-list acl_nat0
crypto ipsec transform-set test-QM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address QM-test
crypto map mymap 10 set peer a.a.a.a
crypto map mymap 10 set transform-set test-QM
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash…
0
I have been trying to work with Sonicwall support on this issue and have made no progress.  We have been using the appliance in the past with split tunnel enabled but, due to security requirements, we can no longer allow split tunnel.  If we turn it off,  remote users can access internal resources we have configured, but cannot access anything on the Internet. It seems that we need to create a resource which is "anything" on the Internet but we don't know how to do that. We don't see any kind of wild card options.  We have not given our users access to "Any" resource.  We need to specifically define the resource they have access to.  We need an "Internet" resource and then we can give them access to that.  Is this possible.  Or, is there some other way to approach this?

Sonicwall support had us upgrade the firmware to 11.40-468 with the 708 hotfixes but that did not create an options for resolving this requirement.
0
How do you know if your security is working?
LVL 1
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

i have 2 ubuntu servers on in home and one on a remote server and both are running ubuntu server 16.04

i followed this guide to install and configure strongswan https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html

it worked fine on my localserver but not on the remote server even when accessing the my localserver remotely it works just fine

i am stuck .. im not sure what i am doing wrong .. hoping someone on here can help- my host says that my ubuntu install is mostly* stock with little to no mods - though ive noticed some file permissions where changed

https://imlost.me/server.txt https://imlost.me/client.txt
0
Hello, I started to configure a PFSense, version 2.4.1. I want to know if it is possible to configure an IPsec multi-WAN failover

Has anyone had any experience configuring this? I already configured the DUAL WAN Failover on the PFSense

I would like that the VPN tunnel can be able to stay up if the WAN fails over.

Thanks in advance
0
Hi All,

We have two Cisco ASA 5505 Firewalls that are running a site to site VPN, one is in China the other is in the UK. The China ASA is the initiator.

This isn't something I set up it was something that was set up years ago and it has been working perfectly until about 6 weeks ago when one day it just stopped. If I try to ping a host from China to Manchester I can see MM_WAIT_MSG2 on the China ASA and MM_WAIT_MSG3 on the UK side but it never gets any further.

No config was changed it simply stopped working one day. I'm fairly new to Cisco. I could see that the time was out on the China side so I corrected this without success. Below is a snippet from each ASA that I think is relevant to the VPN. Can anyone offer any suggestions?

----- China ------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 195.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200

------ UK --------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 202.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 …
0
We have multiple branches and sites that are connected to main Data Centre. As for now the WAN is protected (traffic is encrypted via IPSec). Objective: I want to make sure that all traffic when it leave the host is also encrypted. There should be no gap (un-encrypted data in motion) regardless within the LAN or WAN.
The concerns from the network engineer, is that if we implement Host to Host IPSec, it will be a tunnel within tunnel. It will decrease network performance.
How do we ensure all the traffic are encrypted? Any other available solutions?
0
I have a main office running OpenVPN on Untangle v9.4 (I know, but they don't want to spend the money to upgrade and reconnect all of the offices) The remote offices are all on different subnets, and I have no problem reaching the main office by IP address or hostname from the remote office computers. From the main office, I am unable to ping or communicate with any of the remote offices. There are no issues with the main office connecting to the internet, but I am unable to communicate with the connected networks. The OpenVPN connectivity at each office is using a Ubiquiti Edgerouter-X with the config file imported and I use my laptop to support the various offices via a software client OpenVPN connection. When I connect to the OpenVPN server at the main office using my laptop, I am able to ping, use RDP, whatever, I can even use NSLOOKUP from the DC in the main office as the server and get the IP Addresses for the systems in the remote offices. Trying to run a tracert from the cli on the DC server in the main office gives me a first hop that is the LAN address of the Untangle box, but times out on every other hop. This looks like a route issue to me, but I haven't been able to add a static route in any form that allows me to communicate with the remote networks. Help!
0
Hello,

Our messaging system shows a few unuaual user login from Lkorodu, Lagos in Nigeria.  

Is there any good website or is it possible to list networks being used by Lkorodu, Lagos instead of the entire Nigeria?

Please advise.
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>