Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

We have a site to site VPN tunnel which has been performing well for 4 years.  We are seeing increased traffic this week and are seeing select devices unable to reliably access the tunnel for periods of several minutes to several hours while other devices are able to connect across the tunnel.

The VPN tunnel is used to access a terminal server in a remote site using handheld computers running Windows CE.  We typcially have 12 devices deployed.  Currently we have 18 devices deployed for a 2 week project.

We are seeing that during peak times (more users connected to the RDP server) select devices will be unable to connect.  Pings from the affected device will range from 100% loss to 0%.  The ping failure rate fluctuates.  Users may sometimes connect to the RDP server for a few minutes before being disconnected again.

This problem seems to last between 10 - 120 minutes.

I have taken packet captures at the ASA and see that both ICMP and RDP packets are arriving on the inside interface - the portable computer having the problem is transmitting correctly.

My problem is how do I ensure the ASA is encapsulating these packets and sending them out the Outside interface reliably.  I have taken packet captures on the outside interface but do not know of a way to match these encapsulated packets up to those originating from the problem computer.

I have reviewed: Show crypto ipsec sa

 #pkts encaps: 9228711, #pkts encrypt: 9228711, #pkts digest: 9228711
      

Open in new window

0
OWASP: Threats Fundamentals
LVL 13
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

We have deployed SQL Always-on which is consist of two MS-SQL 2017 servers. When we try to connect through always-on listener IP, the connection takes time.

However, its connecting fine using listener DNS name.
0
I am trying to establish a site-to-site VPN tunnel between an ASA 5505 and a Fortigate300d but the tunnel does not come up .
I have attached the config of the ASA.

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.251

!

interface GigabitEthernet0/2

nameif E1(outside)

security-level 0

ip address 192.168.1.2



access-list ooredoo-Tunnel extended permit ip host aspen1 10.71.100.0 255.255.255.0

access-list ooredoo-Tunnel extended permit ip 10.71.100.0 255.255.255.0 host aspen1

 

 

access-list E1_access_in extended permit icmp 10.71.100.0 255.255.255.0 host 192.168.0.205 echo-reply

access-list E1_access_in extended permit icmp 10.71.100.0 255.255.255.0 host 192.168.0.205 echo

access-list E1_access_in extended permit icmp any host 10.150.1.4 echo

access-list E1_access_in extended permit icmp any host 10.150.1.4 echo-reply

access-list E1_access_in extended permit icmp host 10.150.1.4 any echo

access-list E1_access_in extended permit icmp host 10.150.1.4 any echo-reply

access-list E1_access_in extended permit ip any any log

access-list E1_access_in extended permit ip any host 192.168.0.205

access-list E1_access_in extended permit tcp any host 192.168.0.205 eq www

access-list E1_access_in extended permit ip host 192.168.2.100 any

access-list E1_access_in extended permit ip any host 192.168.2.100

access-list E1_access_in extended permit tcp host 192.168.2.100 any eq https

0
Hi Guys,

My first post on Experts Exchange! I'm having a little question, and it's gonna be silly.

A customer of us wants to have SSH access to a Linux server of our shared customer. I've already setted up the ip object in our Draytek router.
This is the public ip address they gave me when i asked them about it. Address type is single. The next thing i did was go to the filter setup in the firewall. I've added the source ip object into the passed group. My problem now is, they don't have a fixed ip address. So i guess i have to set it to dynamically. I know this isn't good because of the attacks we could get, but they gave me permission.

What is the best method to do this?

Thanks in advance

Kind regards,

Kevin
0
portableapps.com

Good morning, I wanted to find out is portableapps can be somewhat secured so that if someone finds a USB key that has portableapps installed, they cannot access the data except fo the authorized user?
0
I know encryption decryption mechanism for a typical HTTPS based communications.

However, Failed to understand the how chemistry between below 2 blocks works  
{private&Public key} ---vs-  {SSL certificate }

Please advice
0
Hi,

Hope somebody could help us with this issue..

We recently purchased a 5506-X firewall to add to our existing network. We work in a shared office environment and the IT department provided us with a Static IP for (outside) configuration of the firewall. In order to have access to the internet in our network environment we must authorize devices by MAC address. I have tested the outside IP on my laptop and was able to connect to the internet from the uplink provided to me.

We have followed all the steps necessary to setup the 5506-x firewall but cannot seem to get internet access. Also, we have allowed the mac address of each interface on the 5506-x to have access to the network.

Maybe we missed something and someone could help guide us in the right direction. We followed the instructions here but still know luck.

Below is the show configuration log...

 Saved

:
: Serial Number: JAD22310EK4
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 18:30:29.659 UTC Tue Jun 11 2019
!
ASA Version 9.8(2)
!
hostname AI-Firewall
enable password $sha512$5000$oN0ERX19wEcf1sA20aNprA==$h4DD3XDf1aAxawHyqyjPYQ== pbkdf2
names
ip local pool AI-Pool 10.222.222.100-10.222.222.120 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 67.71.213.166 255.255.255.252
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
0
Hi

I have a TP-Link ML-MR6400 4G router and I want to create a VPN connection with my AWS VM. The scenario is that I have a sales demo unit that the sales guy takes on the road. Rather than require him to configure a local server for each demo, I want to have the complicated server on the AWS VM and he just plugs in his local device and 4G router and the device and VM can connect.

Local Device <> 4G Router <> Cellular Network <> AWS VM

I am using SoftEther on the AWS VM.
I have configured an IPSec tunnel between the local 4G router and the AWS VM.
I have been able to get the 4G router to show in its GUI that the VPN tunnel is up, but I can't get the devices to talk to each other.

Can anyone help me please? There is no configurable OS on the local device. It is a black box All that I can do is connect it to the 4G router and it will be given a local IP address.

The TP-Link 4G Router has the possibility to make itself the VPN Server (using OpenVPN) but for various reason I can't make the 4G Router the VPN server. I need it to be the client and for the AWS VM to be the VPN server.

I probably need to give you more information, but I'm not sure where to start. Thanks for your help!
0
How do I setup a VPN connection between a TP-Link TL-MR6400 4G router using IPSec VPN to a Windows Server 2012 R2 machine?  

Both devices have public IP addresses.  

I cannot work out what I need to install/config on the Windows Server to allow the router to connect to it.
0
HI, I'm trying to setup a VPN connection from a Mac to a TP-Link TL-ER620 using NCP Secure Point software.  I had previously flawlessly used PPTP, but the Mac's decided to stop allowing that.

I get a little stuck with the IPSec terms between the two, can someone help me out with a walk through on the client server side of the setup.

Thanks all.
0
Expert Spotlight: Joe Anderson (DatabaseMX)
LVL 13
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Hello everyone,


I have a Cisco ASA 5516 with two inside interfaces. One is for customer LAN and another is for a few branch offices connected via a router that is connected to the 2nd Inside interface (All those offices are in the same building connected by a FO backbone. Customer is going to replace an old ASA 5510 where almost the same config already works.  

LAN network is 192.168.0.0/24 connected to 1/3 on ASA

Branch Offices are connected to 192.168.2.0/24 connected to 1/4 on ASA
 
I want to be able to ping and have unrestricted traffic between them.

Currently I have a laptop connected to int 1/3 and another one connected to Int 1/4 but no ping.

Someone please help!

Here's the configuration

ASA Version 9.8(2)17
!
hostname ASAFCHFW
domain-name mydomain.com
enable password $sha512$5000$pt2nRGQbSXA8K3vdow+Ztg==$kGNfDJREqQCQ+jO7m0bxmQ== pbkdf2
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address x.x.x.131 255.255.255.240
!
interface GigabitEthernet1/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.240
!
interface GigabitEthernet1/3
nameif Inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface GigabitEthernet1/4
nameif Branch_Office
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no …
0
Using pFsense at our main site and at a remote site. They both work on phase 1 and phase two over IPsec. Added a second IPsec phase 1 and phase 2 connection between a second remote site and only phase 1 tunnel connects, I cannot access any ips on the main site from my new remote site.

Is there an issue with trying to have two remote sites using the same remote IP subnet at the main site?
Main_Site_01_IPsec_Tunnels.png
Main_Site_01_IPsec_Status.png
Working_Remote_Site_01_IPsec_Tunnel.png
Working_Remote_Site_01_IPsec_Status.png
Failing_Remote_Site_02_IPsec_Tunnel.png
Failing_Remote_Site_02_IPsec_Status.png
0
I had this question after viewing Server Essentials 2016 L2TP VPN.

I can connect to Windows Server 2016 Essentials via PPTP after running the Anywhere Access wizard mentioned; however, I cannot connect via L2TP.  I checked my Watchguard M400 firewall policy and the ports for L2TP and IPSec are allowing traffic through to the Windows 2016 Server Essentials.  Are there other steps that need to be taken to enable L2TP VPN?  Some users are trying to connect via iPhone tethering or Mac OS and the VPN connection is failing.
0
Hi,
I have a big problem with Cisco voip configuration. I have two CME router which is connected by IPsec over gre tunnel vpn. The flow between router Irak and router CI is correct but we can not make any calls, we heard a busy tone. However the calls between Router CI and Router Irak work well.
I don't know how to fix this issue. I need your help please.

Best Regards,
puttyrouterci.log
puttyirak.log
0
Inherited a Cisco ASA and I have an IPSec tunnel configured and working great, however, I am trying to figure out which hosts are using this tunnel

Since the tunnel is encrypted, I can not seem to capture any packets

I see the peer ip for the tunnel, and the destination being the outside public ip of the ASA,  it need to the the host that is initiating this tunnel

Appreciate any insights, thanks
0
Cisco IPSec tunnel need to find out who is the final destination of a file copy through the tunnel
packet capture won’t show me the true destination host. I see the peer ip and destination is the public ip of the asa

Example user initiates a copy through the tunnel I am trying to identify which host is initiating this copy
0
Looking for a good detailed survey of SDWANs that are available and procedures how to deploy each,
If I have a worldwide client base and I need my staff to access customers' data centers privately, how do I pick the right SDWAN solution, and how to do I migrate to them?
0
We have an IP sec tunnel setup between two locations, Once side is Cisco and the other a Fortigate. The ACL is setup to allow all traffic between the two locations. Most traffic does work but we found we are unable to pass SSH traffic through. We can see the SSH traffic leaving the Fortigate.  We have no problem connecting with SSH through the NAT statements on teh Cisco, so we know its the tunnel that is causing this. What am I missing?

crypto map chi-map 10 ipsec-isakmp
 description Tunnel to Chicago office
 set peer 99.99.99.99
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 43200
 set transform-set chi-ipsec
 set pfs group20
 match address 100
 reverse-route


access-list 100 permit ip 192.168.254.0 0.0.0.255 192.168.22.0 0.0.0.255
0
Working to establish IPsec Site-to-Site VPN, the local network is 192.168.0.x behind a Cisco RV130W and far end has a Cisco NSA 2600 and also has a pre-existing VPN with the 192.168.0.x subnet. The tunnel needs to support a single host on each end.

Is it possible to assign a 2nd IP Address to the PC in my network, say 10.10.20.2, and use this for the VPN?
0
Become a Certified Penetration Testing Engineer
LVL 13
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Morning, I am trying to setup a Windows 2016 VPN via LT2P but keep getting the below error.
Anyone know what I can do to fix it?

During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Local Network Address:      172.16.0.139
Remote Network Address:      172.16.66.10
Keying Module Name:      IKEv1
0
Internet (ISP) ----> CISCO 891 ----> Ubuntu Server [Another Country/City] (IPSec or smthing) ------]
                                                                                       Internet (ISP) <------ CISCO 891 <---------------------]

Can i configure the my home CISCO router to connect to another VPN Server and give access to my home computers to the internet from this Server?
0
Has been almost a year that I switch to Auth0 in order to manage my customer's access to the dashboard of my application. Nowadays I need to implement access for a RESTFULL API.

If I follow the instructions in order to secure the NodeJS app using JWT it works like a charm. The issue is that I am not properly sure on the implementation for the end user in order to get the token needed for access this API.

I thought of creating the tokens on the dashboard or just use a server side implementation for the login/authentication. I did the last using the access to my own database before and worker amazingly. My issue is that I am not completely sure on how to do it for the end user using Auth0.

Would be great if you can guide me in order to implement the login/authentication side of the API using auth0 and nodejs.
0
Hi,

I have a problem to establish call session between two sites over gre tunnel ipsec. The tunnel is up but I am Unable to set a call. I think the problem is Nat but I don't know how to fix it.  It's seems like the traffic were blocked in the beginning of the tunnel.

You can see the configuration files in attached.

 

Best Regards,

 

Aristide
0
Dear expert,

I have bought a Samsung smart TV. I am looking for trusted and secure IPTV to install it. And secure IPTV vendor including Bein Sport, OSN, US channels, UK BBC...etc

a friend of mine advice me to install KODI but it is showing on the samsung store.

Thank you in advance.
0
All of a sudden last Friday, users have started having problems accessing some secured (banking, CC processing) sites & I'm not finding any indicators as to why.
I'm running a sonicwall TZ 300 & can't seem to find any info in any log files that would point me in the right direction. when going to certain sites, I just get a waiting for site message on tab & page never loads.
any suggestions?
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>