Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I need to look at a website. It is not a pentest itself. Just a vulnerability scan. What tools could I use to generate a complete report?
I also need to generate a less technical report.
Technology Partners: We Want Your Opinion!
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Am facing an issue where my Cisco ASR 1002-X keeps rebooting itself at random time. When i run the show version, i can see the reason for reload is: critical process fault, fman_fp_image, fp_0_0, rc=139

On my syslog server, i keep getting this error: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:171 TS:00000041045846946120 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error,

 I dont know if that could be the reason of my router reload or if it's an IOS bug, am running asr1002x-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin.

Your help will be highly appreciated.
Good morning everyone. Let me describe my environment - I have DA setup on server 2016, running on 2 servers and loadbalanced on a Kemp. NLS servers are on dedicated, clustered servers as well. Direct access seems to be running ok but every day I get a random user calling with the same issue as the other.

Scenario: Users are outside the network connected through DA. Their DA connection will drop and I will get the these errors in the event log of the DA server they are connected to (events attached) "An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted." and "An IPsec main mode negotiation failed.". Then Direct Access will be stuck in the connecting status. The user then simply shuts down and calls it a night. When they come into the office the next morning, they log into the network but their computer's network domain is on public or private and not to ourdomain.local. The only way to fix it is to pull out the DA registry keys and reboot - although this is not a good or safe solution. I have verified the NLS servers are up and accessible. And again, it doesnt happen to everyone, only about 1 out of every 5 users.

What would make the local computers come up on the public or private network right at bootup?

Any help would be GREATLY appreciated!
I am troubleshooting a connection issue for two sites connected over ipsec l2l tunnel. It's occasional. TCP traffic conversation ages out. Is there a way to see when the tunnel went down or up in the previous 24 hours?
I am creating site to site ipsec vpn tunnel with cisco asa 5506x and 5555. Now the 5506x firewall i m keeping it in dmz. Can i keep the outside int and inside int ip  of 5506x in same subnet.
We currently use OpenVPN, as well as L2TP over IPSec VPN on our Linux servers (CentOS 6.x mostly). Both VPN servers are running properly. However, while each of the physical servers have several IPs assigned to them, the VPN is always able to run on one IP address only.

What we need:

A user connects to our server (either via OpenVPN or via L2TP over IPsec VPN), the server picks a random server IP address instead of just one for all users.

Basically, what we need is a server side IP address rotation for the VPN.
There is an IPSEC tunnel from a SRX240H2 to a Sophos UTM 9.

The tunnel is up most of the time but goes ocassionally down. And I wonder if the following could be related to the problem.

When the Sophos appliance sends this (from capture on the SRX):

Frame 10273: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Juniper Ethernet
Ethernet II, Src: Cisco_xx.xx.xx (30:e4:db:xx.xx.xx), Dst: Netscreen_xx.xx.xx (00:10:db:xx.xx.xx)
Internet Protocol Version 4, Src:, Dst:
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 284
    Identification: 0xffe2 (65506)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 57
    Protocol: UDP (17)
    Header checksum: 0x15b1 [validation disabled]
    [Header checksum status: Unverified]
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
    Initiator SPI: 91ee52a313c081d6
    Responder SPI: 0000000000000000
    Next payload:…
We have issues while setting up client VPN on TP-LINK TL-ER6120 and TL-ER6020 routers. Even when it is connected, we are unable to ping the inside hosts.
So I've been tasked with creating an IPSec VPN using a Cisco RV325. I've followed through several guides to get this setup and as it currently stands, I've managed to create the tunnel, connect and authenticate to the VPN successfully using the Shrewsoft VPN Client. However, once connected with either the IPSec VPN or the EasyVPN, I am able to ping the internal address of the router, but unable to ping any other device on the remote LAN. I've made sure firewalls are turned off for testing purposes just to ensure the packets aren't being blocked. I've also tried RDP connections to devices with no joy.

Interestingly, when I tried using the PPTP VPN through the RV325 (using windows 'connect to a network') I'm able to ping everything and remote access servers etc.

I've noticed that the RV325 will give you a virtual IP address range (which the VPN client is picking up) although it seems like there's no kind of address translation or routing to the subnet I need to get to. My remote LAN uses 172.16.8.x/24, the virtual addresses use 172.16.9.x/24.

Please let me know if any log files, config files or screenshots of anything would be of any troubleshooting help and I'll get them posted. Any ideas welcome!

Many thanks in advanced,
Hey guys,

I´m troubleshooting very interesting issue...we have a branch connected over IPsec (setup on Mikrotik)...everything works pretty much fine but network drivers...when users wants to open it it takes very long time to open it approx 5 mins...if they connect over VPN everything is fine. Any ideas? We use 3des encryption for IPsec

Thank you very much!!


Are You Ready for GDPR?
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Hi All,
We have a Draytek 2960 setup with a teleworker dial-in connection using L2tp over IPSEC and it works perfectly for all users apart from those using Hp Elitebooks! The connection always fails with an Error 809 even though we can connect with the same details using another laptop from the same remote office.
We've even installed the draytek vpn client but that fails with an unknown error. I have switched off the antivirus and the firewall and this doesnt help.
Has anyone got any ideas?
I have a laptop that can connect to wireless and wired networks (detected) but has no internet (unidentified).

When setting static to the network, detects network name but no internet.

Cannot manually start the service.

Also cannot navigate to or localhost - access denied.

I have scanned for malware, checked that everything is set to DHCP, re-installed NIC driver, reset using netsh int ip reset, netsh int tcp reset, netsh winsock reset.

Minitoolbox showed an error saying an attempt was made to access a socket in a way forbidden by its access permissions.

Any help would be greatly appreciated
I have a Windows 2016 Hyper-V server box that came with two network cards. First NIC is connected to internal LAN (192.168.1.x) and 2nd NIC is connected directly to ISP Internet modem (therefore, it receives a dynamic public IP address given by ISP DHCP server). On 2nd NIC,  I intend to create a virtual machine ("TESTVM") where I like to try to open some suspicious email attachments or click on website links (to find out whether they are malicious). I have installed Malwarebytes Anti-Exploits/Anti-Malware/Ransomware on this VM and it sends me email alerts whenever it detects "suspecious" activity.
I plan on connecting to this VM thru remote desktop connection program (port# 3389, 3390 .. etc) using Dynamic DNS.
Having said that, I know a lot of experts would go against the idea of exposing the server to public internet.

I know that I could put another router (192.168.2.x) between 2nd NIC and ISP internet modem to enhance security, but what I like to know is how am I venerable as it is?
How could hackers penetrate to this server when the only account is "administrator" with secure password?

Thanks you for your insight.
Hi, So this used to work so I am baffeled at the moment. Lets say the networks are below.. 2 Cisco ASA 5501 one on side 5510 on other.

VLAN location 1: X.X.20.0 /24
VLAN location 2: X.X.30.0 /24

I see on both asdm the icmp packages being transmitted, "built" never says fail.  but it does not ping on local clients.
if I do a traceroute from 5505 it atleast goes out a few hops.
but if I go to the 5510, I get zero hops, as if its not leaving the asa at all..

I see network objects defined for both, I have static routes defined for both

anything I am missing ? without me pasting my config I mean, just anything very obvious?? TY ALL
Need help on configuring IPsec VPN site to site VPN Tunnel between two sites. But the requirement is that I have to NAT all my local subnet (e.g. to single IP (e.g. and send it through the tunnel for remote traffic (e.g. Please see the attached diagram for details.

I am OK setting up IPsec Site-to-Site Tunnel using the wizard between local network to remote network  But this specific remote site require we NAT all our local network to a single private IP and send it over the tunnel... as they will only accept traffic from this NATed single private IP ( only.

Cisco ASA 8.x

I'm french, so my english isn't perfect...

I have a client with this network :
- 10 remote sites with CISCO ASA 5505 connected to a CISCO ASA 5520 (in the main agency).

Example :
A is connected to B (IPSec Tunnel)
B is connected to C (IPSec Tunnel)

I would like for site A to be able to get to site C through site B without create a new VPN Tunnel...

I don't know how I can do that...
Hi Experts,

On our public-facing OWA server on IIS 7, we turned on IP Address and Domain Restriction. If from the log we detect any IP trying brute force to log into our Web Outlook interface, we will put the IP into "Deny Restriction Rule" in the hope that IP will be 'blocked', meaning not even able to get the login screen. Actually it seems to be a wishful thinking since we noticed one of the IP we already added in the 'Deny' list that particular ip still keeps showing up in the log and we can see it got the login form and then denied with sc-status 401-1.

My question is, it seems this feature does NOT "block" the IP from getting the login form, but instead simply "deny" their login request. Is it correct?
Hello Expert,

I have an issue with an IPSEC configuration on a ASR 1001-X. I use a crypto map based implementation but it's not working. I make a capture on the device facing the ASR and I have no ESP packet out of the ASR. I can ping the remote IPSec peer but nothing else.

Below the configuration, did you see something missing ?

ip vrf Ivrf
 description Clear side VRF
ip vrf Fvrf
 description Cypher side VRF (front door vrf)
crypto keyring Key_test vrf Fvrf
  pre-shared-key address key toto123
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp profile ISAK_TEST
   vrf Ivrf
   keyring Key_test
   self-identity address
   match identity address Fvrf
   initiate mode aggressive
   local-address Loopback2
crypto ipsec transform-set ESP-NULL esp-null esp-sha-hmac
 mode tunnel
crypto map CRYPTO_TEST 1 ipsec-isakmp
 description TEST
 set peer
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set security-association idle-time 28800
 set transform-set ESP-NULL
 set isakmp-profile ISAK_TEST
 match address CRYPTOACL_TEST
 reverse-route remote-peer static
interface Port-channel1.419
 description cypher side interface
 encapsulation dot1Q 419
 ip vrf forwarding Fvrf
 ip address
 standby version 2
 standby 419 ip
 standby 419 …
We have several small networks connected to our corporate office over IPSec tunnels. At our office, we have a Windows 2008 R2 server running NPS performing RADIUS authentication with WAPs. Up until now, everything has been running fine. But we connected a new office and we can't get any of our client working on the WAP at the remote office. We can see the RADIUS authentication request come from the WAP across the VPN and hit the server, the server responds back to the WAP, but then nothing happens on the requesting client. All other traffic over the VPN comes across without issue.

The difference at this new network is that we're trying a Netgate PFsense firewall instead of our normal SonicWall. The only thing I can come up with is the Pfsense firewall is interfering with the WAP in some form, but so far I haven't found anything that would prevent that.

The WAPs being used (at both old and new locations) are Open-Mesh MR1750v2
How to Use the Help Bell
LVL 10
How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

I need to migrate a VPN tunnel with 70 lines of cryptomap. The PAN GUI appears to permit my only adding
a single line at one time. I see that I can add security rules via CLI. Perhaps there is something similar for
adding an IPsec tunnel and its Proxy IDs? Any other thoughts apprecaited.

set rulebase security rules Inbound-SSH from corpfw2-untrust
set rulebase security rules Inbound-SSH to corp-vpn
set rulebase security rules Inbound-SSH source RFC-1918
set rulebase security rules Inbound-SSH destination any
set rulebase security rules Inbound-SSH source-user any
set rulebase security rules Inbound-SSH category any
set rulebase security rules Inbound-SSH application [ ssh ssh-tunnel]
set rulebase security rules Inbound-SSH service application-default
set rulebase security rules Inbound-SSH hip-profiles any
set rulebase security rules Inbound-SSH action allow
set rulebase security rules Inbound-SSH profile-setting group Corp-Default-SecPro1
set rulebase security rules Inbound-SSH log-start yes
set rulebase security rules Inbound-SSH log-setting logmaster1
set rulebase security rules Inbound-SSH disabled yes
Is there anyway to monitor the email clients IP addresses on Exchange 2016 ?? especial on smart phones
Hello Master.
i have a fortigate  60D and a Cyberoam, and i had been configure VPN IPSec between it.
the VPN is connected but i cant access the computer (RDP, PING, WEB, HTTPS) in the other side.
i try to allow connection in filter rule in the both side, but i still cant access.
i try step by step in this link, and still cant access
any suggestion for my case? some tutorial link or something i must to do.

Thanks Very Much

This year I have a project to set up Cisco PFR technology to optimize company's network. The company has 6 offices (A to F) all over the world which connects to each other by IPSec over GRE tunnels over the internet.

Unlike some traditional PFR scenarios, we don't have a hub-spoke deployment. Instead, the 6 offices are fully meshed with each other. Each office has 1-2 VPN routers and each VPN router linked with two different ISPs. Any two offices are connected over encrypted point to point GRE tunnels.

My questions is: am I able to configure PFRv3 based on this point to point GRE tunnels deployment rather than changing the whole infrastructure to DMVPN/multi-point GRE tunnels? Is it supported by some Cisco user guide?

What we want to achieve is to always use the low latency/packet loss GRE tunnel as the active network connection between the two offices/countries. The current network topology is too complicated so we want to minimize the changes. Configurations samples of one office are as below:

[ Cisco ISR4431 ]

interface Tunnel22
  ip address
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel protection ipsec profile corporate-ipsec
interface Tunnel23
 ip address
 ip tcp adjust-mss 1300
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel protection ipsec profile corporate-ipsec
interface GigabitEthernet0/0/0
 ip address x.x.x.x
I am having issues with 4 sties. Each have 4 ipsec vpn tunnel inbetween to cross connection and application access.

But only one application is giving me an issue. The server is on Site (A) and site (B) but soon to be (A) only. Two other site (C) and (D) are VPNing in to site (A) to access the server.

When you minimize the application (which is working true a RPD connection) and work on something else, once you get back to the application there is a reconnecting issue. Takes about 2-3 mins to get the application back working.

I've been having some issue with the VPN and I am not a pro with vpn log. Can anyone help me?

2017-02-01, 08:12:08      VPN Log      [g2gips0] #8461: [Tunnel Established] IPsec SA established {ESP=>0xc7488fd9 < 0xcd1b9f35}
2017-02-01, 08:12:08      VPN Log      [g2gips0] #8454: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcee3770f) not found (maybe expired)
2017-02-01, 08:15:15      VPN Log      [g2gips0] #8462: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-01, 08:19:30      VPN Log      [g2gips3] #8463: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc8dcbf5b < 0xcc9dcbd1 AH=>0xca3fff03 < 0xc2c1a9a1}
2017-02-01, 08:19:30      VPN Log      [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcf402c1f) not found (maybe expired)
2017-02-01, 08:19:30      VPN Log      [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_AH SA(0xc8a48df1) not found (maybe expired)
2017-02-01, …
Current config: ASA-5505, vASA 8.2 (5).  Serves our 1-15 host network, and has a site-to-site IPSec VPN to a client configured (establishes automatically).  Of course, all non local or internet traffic is sent to the VPN.  Been working great for over a year no hiccups.
Eth0 is the "outside" interface (security level 0), Eth1-7 are the "inside" interfaces, security level 100.  All Ipv4, no ipv6.

I'm adding a remote office, and I want the remote office to effectively act as part of the original local office.  It will have its own 5505 device, and a static ip address(s) from our ISP.  I plan to use a 2nd site-to-site VPN to connect.  The particulars are where I'm lost a bit - Cisco firewall configuration is not my forte.  How I envision the remote office to behave is hosts there will obtain their ip address via the local 5505.  The VPN there needs to act pretty much as a NAT bridge.  The remote office will still need the same access to our site-to-site client, and also appear as hosts "of" our original local network.  They would have their own ip4 subnet.  The default gateway would be the inside ip address of the local 5505.
So it seems easy on the side of the new office I think.

Now the current local office:
Here's my guesses so far:  I have multiple public ip's to use, so set another "unused" current 5505 eth physical port as one of our other public ip's?  It appears this is set as a different VLAN? (Eth0 is currently VLAN2, Eth1-7 is VLAN1).  Then, create a …

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.