Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Can I edit an IKEv2 policy by adding encryption standards - without breaking current ipsec vpn that uses those policies?

id like to try add sha256 to encryption + add to prf and integrity hash's - cant seem to get azure ipsec vpn working with VTI route based asa 9.9 (2)
Capture.JPG
0
Rowby Goren Makes an Impact on Screen and Online
LVL 19
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

Any suggestions. Just added a site to site IPSEC tunnel from Cisco ASA running ASDM to a SonicWALL. Successfully got the tunnel live. However cannot reach anything in the cisco network from the SonicWALL. Also there was an existing Cisco AnyConnect SSL-VPN that was working and still connects. However that VPN can also no longer access anything in the network. So seems like a NAT issue or maybe an issue with the ACL? Strange that all the VPNs connect but can get to anything in the inside network... See the running-config below


ASA Version 8.6(1)
!
hostname xxxxxx-ASA
domain-name xxxxxxx.local
enable password xxxxxx
passwd xxxxxx
names
!
interface GigabitEthernet0/0
 description To Switch 1
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 description To Switch 2
 channel-group 1 mode on
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 description LAN Failover Interface
!
interface GigabitEthernet0/3
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 description To TWC
 nameif Outside
 security-level 0
 ip address 47.23.x.x 255.255.255.248 standby 47.23.x.x
!
interface GigabitEthernet0/5
 description To VZW
 nameif Backup
 security-level 0
 ip address 10.1.1.2 255.255.255.248 standby 10.1.1.3
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
 management-only
!
interface Port-channel1
 …
0
Hi

We have been given Cisco Firepower 1010 firewall to use at a site and we need help with configuring site to site VPN.

Here is the current status

1. We don't have what's called the FMC, we only use FTD which is the built-in management web interface for the device. I know there is command line also available via terminal but I have no clue about how to use it. I am more of a GUI person.
2. I have managed to configure the basic settings so I can get on the Internet from behind the firewall.
3. I have also configured site to site VPN with the remote site. Remote site is using a Draytek Router and Draytek side it is showing that the VPN has been established. On Firepower side, I can't see the status in the GUI but command line (show crypto isakmp sa) is showing VPN to be up. I googled that command I don't know CLI commands for cisco.
4. So VPN is up but can't route traffic between the two sites either ways.

I am aware that in Cisco firewalls, just doing VPN isn't enough, you have to do firewall rules or policies etc. I don't know where to do it from GUI and I have a feeling it might not even be possible via GUI in this device. That's fine as long as someone can help me create those rules and policies using command line.

Need to go live next week so any urgent help will be greatly appreciated.
0
Hello Folks
We are an healthcare organisation with multiple branches geographically located. hence we are looking forward to a offsite DR.

What is the best offsite disaster recovery solution ?
- Colocation
- Private Cloud.

In both above cases, what connectivity is best ?
- IPSec VPN
- MPLS
- SD-WAN
0
We have one forest one domain at a single location.  Cisco asa 5550 with one wan , one lan and one voip interface . Main site is at 10.0.0.0/24 under AD , VOIP is at 10.0.10.0/24 and Firewall handles DHCP.

Need to add a colocation , with no more than 10 hosts . New location is connected to existing site over metroe line (50MB) , no ip's were given so i am assuming we can assign whatever at each end to make it work .
Also I have one wan connection at the new site .

I have two SG350XG-2F10 12-Port 10G Stackable Managed Switches , one Fortigate 100e firewall

I would like to keep it one lan single site as I dont expect more sites or more hosts in near future .

What is the best way to accomplish this ?

Connect Fortigate to ASA over metroe line or use Switches or ?

Do we need to create tunnel and encrypt ?

Thanks
0
I need to rekey a tunnel - I've tried clear ipsec sa peer IP but no luck.  Anything else?
0
Hi Experts, I would like to get some help with troubleshooting a Site-to-Site VPN connectivity between two ASAs. I need to NAT the internal subnet on both sites to a pubic IP address in order to avoid overlapping subnets. I can establish a VPN tunnel as long as I ping the NAT address (the tunnel does not come up if I ping any host on the internal subnet). The issue I am having is that I am not able to ping any hosts on the subnet from either end after the tunnel is established.


Site A outside IP is 50.50.50.2 (Internet G0/0 is 50.50.50.1)

Site B outside IP is 60.60.60.2 (Internet G0/1 is 60.60.60.1)

Site A and Site B can ping each other outside IP.

Site A inside subnet is 10.16.0.0/24 and is NAT to 50.50.50.3

Site B inside subnet is 10.10.0.0/24 and is NAT to 60.60.60.3

 Simple nework diagram
vpn-pat-overlapping-subnets.jpeg.jpg

 

ASA Site A:

ASA Version 9.7(1)4
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 50.50.50.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.16.0.1 255.255.0.0
!
object network obj-siteA-real
subnet 10.16.0.0 255.255.0.0
object network obj-siteA-map
host 50.50.50.3
object network obj-siteB-real
subnet 10.10.0.0 255.255.0.0
object network obj-siteB-map
host 60.60.60.3
object-group service ogs-srv-icmp
service-object icmp echo
service-object icmp echo-reply
service-object icmp traceroute

access-list acl-outside-in …
0
I have a WatchGuard M370 Firebox with L2TP and IPSec.  My users login to the firebox and then to a terminal server or in some cases their desktops. It's basically a 2 factor system, they login to the firebox and then to the server - I want to keep that.   I have a bunch of users who take home laptops and work at home and I'm wondering if there's a way to have my Group Policy enforced while they are on VPN.  My VPN is a dmz so it's not actually part of the network,  however, if you type and IP address chances are you'll get where you need to go.  SO for example my home users connect to a terminal server in the DMZ.  They are using Laptops we created here, but if they are not acknowledged on the domain after 60 days I'm having to put them back on the domain because the trust relationship fails.  I want to try to avoid this.  Is there a way to do it?
0
IP conflict in 2 of 8 security cameras recently added of the OOSSXX type.  How to fix. All 8 are remotely viewable but the 2 conflicting cameras show the images shared and flipping between their two images. Windows 10 pro PCs and Apple in use. please advise easy, best way to resolve the IP conflicts. Thanks tons
‘:o)
Asta
0
We have deployed SQL Always-on which is consist of two MS-SQL 2017 servers. When we try to connect through always-on listener IP, the connection takes time.

However, its connecting fine using listener DNS name.
0
Build an E-Commerce Site with Angular 5
LVL 19
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

I am trying to establish a site-to-site VPN tunnel between an ASA 5505 and a Fortigate300d but the tunnel does not come up .
I have attached the config of the ASA.

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.0.251

!

interface GigabitEthernet0/2

nameif E1(outside)

security-level 0

ip address 192.168.1.2



access-list ooredoo-Tunnel extended permit ip host aspen1 10.71.100.0 255.255.255.0

access-list ooredoo-Tunnel extended permit ip 10.71.100.0 255.255.255.0 host aspen1

 

 

access-list E1_access_in extended permit icmp 10.71.100.0 255.255.255.0 host 192.168.0.205 echo-reply

access-list E1_access_in extended permit icmp 10.71.100.0 255.255.255.0 host 192.168.0.205 echo

access-list E1_access_in extended permit icmp any host 10.150.1.4 echo

access-list E1_access_in extended permit icmp any host 10.150.1.4 echo-reply

access-list E1_access_in extended permit icmp host 10.150.1.4 any echo

access-list E1_access_in extended permit icmp host 10.150.1.4 any echo-reply

access-list E1_access_in extended permit ip any any log

access-list E1_access_in extended permit ip any host 192.168.0.205

access-list E1_access_in extended permit tcp any host 192.168.0.205 eq www

access-list E1_access_in extended permit ip host 192.168.2.100 any

access-list E1_access_in extended permit ip any host 192.168.2.100

access-list E1_access_in extended permit tcp host 192.168.2.100 any eq https

0
Hi Guys,

My first post on Experts Exchange! I'm having a little question, and it's gonna be silly.

A customer of us wants to have SSH access to a Linux server of our shared customer. I've already setted up the ip object in our Draytek router.
This is the public ip address they gave me when i asked them about it. Address type is single. The next thing i did was go to the filter setup in the firewall. I've added the source ip object into the passed group. My problem now is, they don't have a fixed ip address. So i guess i have to set it to dynamically. I know this isn't good because of the attacks we could get, but they gave me permission.

What is the best method to do this?

Thanks in advance

Kind regards,

Kevin
0
portableapps.com

Good morning, I wanted to find out is portableapps can be somewhat secured so that if someone finds a USB key that has portableapps installed, they cannot access the data except fo the authorized user?
0
I know encryption decryption mechanism for a typical HTTPS based communications.

However, Failed to understand the how chemistry between below 2 blocks works  
{private&Public key} ---vs-  {SSL certificate }

Please advice
0
Hi,

Hope somebody could help us with this issue..

We recently purchased a 5506-X firewall to add to our existing network. We work in a shared office environment and the IT department provided us with a Static IP for (outside) configuration of the firewall. In order to have access to the internet in our network environment we must authorize devices by MAC address. I have tested the outside IP on my laptop and was able to connect to the internet from the uplink provided to me.

We have followed all the steps necessary to setup the 5506-x firewall but cannot seem to get internet access. Also, we have allowed the mac address of each interface on the 5506-x to have access to the network.

Maybe we missed something and someone could help guide us in the right direction. We followed the instructions here but still know luck.

Below is the show configuration log...

 Saved

:
: Serial Number: JAD22310EK4
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by enable_15 at 18:30:29.659 UTC Tue Jun 11 2019
!
ASA Version 9.8(2)
!
hostname AI-Firewall
enable password $sha512$5000$oN0ERX19wEcf1sA20aNprA==$h4DD3XDf1aAxawHyqyjPYQ== pbkdf2
names
ip local pool AI-Pool 10.222.222.100-10.222.222.120 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 67.71.213.166 255.255.255.252
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1
 security-level 100
!
0
Hi

I have a TP-Link ML-MR6400 4G router and I want to create a VPN connection with my AWS VM. The scenario is that I have a sales demo unit that the sales guy takes on the road. Rather than require him to configure a local server for each demo, I want to have the complicated server on the AWS VM and he just plugs in his local device and 4G router and the device and VM can connect.

Local Device <> 4G Router <> Cellular Network <> AWS VM

I am using SoftEther on the AWS VM.
I have configured an IPSec tunnel between the local 4G router and the AWS VM.
I have been able to get the 4G router to show in its GUI that the VPN tunnel is up, but I can't get the devices to talk to each other.

Can anyone help me please? There is no configurable OS on the local device. It is a black box All that I can do is connect it to the 4G router and it will be given a local IP address.

The TP-Link 4G Router has the possibility to make itself the VPN Server (using OpenVPN) but for various reason I can't make the 4G Router the VPN server. I need it to be the client and for the AWS VM to be the VPN server.

I probably need to give you more information, but I'm not sure where to start. Thanks for your help!
0
How do I setup a VPN connection between a TP-Link TL-MR6400 4G router using IPSec VPN to a Windows Server 2012 R2 machine?  

Both devices have public IP addresses.  

I cannot work out what I need to install/config on the Windows Server to allow the router to connect to it.
0
HI, I'm trying to setup a VPN connection from a Mac to a TP-Link TL-ER620 using NCP Secure Point software.  I had previously flawlessly used PPTP, but the Mac's decided to stop allowing that.

I get a little stuck with the IPSec terms between the two, can someone help me out with a walk through on the client server side of the setup.

Thanks all.
0
Hello everyone,


I have a Cisco ASA 5516 with two inside interfaces. One is for customer LAN and another is for a few branch offices connected via a router that is connected to the 2nd Inside interface (All those offices are in the same building connected by a FO backbone. Customer is going to replace an old ASA 5510 where almost the same config already works.  

LAN network is 192.168.0.0/24 connected to 1/3 on ASA

Branch Offices are connected to 192.168.2.0/24 connected to 1/4 on ASA
 
I want to be able to ping and have unrestricted traffic between them.

Currently I have a laptop connected to int 1/3 and another one connected to Int 1/4 but no ping.

Someone please help!

Here's the configuration

ASA Version 9.8(2)17
!
hostname ASAFCHFW
domain-name mydomain.com
enable password $sha512$5000$pt2nRGQbSXA8K3vdow+Ztg==$kGNfDJREqQCQ+jO7m0bxmQ== pbkdf2
names
no mac-address auto

!
interface GigabitEthernet1/1
nameif Outside
security-level 0
ip address x.x.x.131 255.255.255.240
!
interface GigabitEthernet1/2
nameif DMZ
security-level 10
ip address 172.16.31.1 255.255.255.240
!
interface GigabitEthernet1/3
nameif Inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface GigabitEthernet1/4
nameif Branch_Office
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no …
0
Why Diversity in Tech Matters
LVL 19
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

Using pFsense at our main site and at a remote site. They both work on phase 1 and phase two over IPsec. Added a second IPsec phase 1 and phase 2 connection between a second remote site and only phase 1 tunnel connects, I cannot access any ips on the main site from my new remote site.

Is there an issue with trying to have two remote sites using the same remote IP subnet at the main site?
Main_Site_01_IPsec_Tunnels.png
Main_Site_01_IPsec_Status.png
Working_Remote_Site_01_IPsec_Tunnel.png
Working_Remote_Site_01_IPsec_Status.png
Failing_Remote_Site_02_IPsec_Tunnel.png
Failing_Remote_Site_02_IPsec_Status.png
0
I had this question after viewing Server Essentials 2016 L2TP VPN.

I can connect to Windows Server 2016 Essentials via PPTP after running the Anywhere Access wizard mentioned; however, I cannot connect via L2TP.  I checked my Watchguard M400 firewall policy and the ports for L2TP and IPSec are allowing traffic through to the Windows 2016 Server Essentials.  Are there other steps that need to be taken to enable L2TP VPN?  Some users are trying to connect via iPhone tethering or Mac OS and the VPN connection is failing.
0
Hi,
I have a big problem with Cisco voip configuration. I have two CME router which is connected by IPsec over gre tunnel vpn. The flow between router Irak and router CI is correct but we can not make any calls, we heard a busy tone. However the calls between Router CI and Router Irak work well.
I don't know how to fix this issue. I need your help please.

Best Regards,
puttyrouterci.log
puttyirak.log
0
Inherited a Cisco ASA and I have an IPSec tunnel configured and working great, however, I am trying to figure out which hosts are using this tunnel

Since the tunnel is encrypted, I can not seem to capture any packets

I see the peer ip for the tunnel, and the destination being the outside public ip of the ASA,  it need to the the host that is initiating this tunnel

Appreciate any insights, thanks
0
Cisco IPSec tunnel need to find out who is the final destination of a file copy through the tunnel
packet capture won’t show me the true destination host. I see the peer ip and destination is the public ip of the asa

Example user initiates a copy through the tunnel I am trying to identify which host is initiating this copy
0
Looking for a good detailed survey of SDWANs that are available and procedures how to deploy each,
If I have a worldwide client base and I need my staff to access customers' data centers privately, how do I pick the right SDWAN solution, and how to do I migrate to them?
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>