Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

I have a domain that is spread out over 15 plus offices scattered around the globe.  All the offices have IPSec connectivity back into Corporate.  Each of the satellite offices has a domain controller onsite.   My problem is this.   When I do a nslookup from our corporate site to domain.com, or attempt to ping or resolve domain.com from corporate, I am getting routed to any of the other domain controllers and not specifically to the ones located on my site.    This is also happening on my other sites.   For example, in Australia, where I have a DC and DNS server, I get resolution to other offices when referencing the domain.    What I want is when I am in an office is for the system to resolve the domain to the local servers first and only pass  to another location should the local devices be unavailable.   We have setup this in sites and services and thought we had it, but DNS just isn't cooperating.
0
Evaluating UTMs? Here's what you need to know!
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

I built LAN to LAN vpn between two company , both ASA5510 , but when I finished configuring , I do ' show crypto isakmp sa ' ,
then deploy  'there are no isakmp' ,
when I do ' packet-tracer input inside tcp 10.99.4.12 80 10.120.1.4 80' , the vpn tunnel could up successful , and ‘show crypto isakmp sa ' has some content :
1   IKE Peer: a.a.a.a
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE    

and two company could access each other , but an strange  thing appeared , after 10 minutes , the vpn tunnel was drop  ,  'there are no isakmp' appeared again ,  I could not do packet tracer every 10 minutes , another method ,  I use a server to ping opposite server all the time , the tunnel won't drop .

here is configuration :
asa5510 A:
access-list QM-test extended permit ip 10.99.4.0 255.255.255.0 10.120.1.0 255.255.255.0
access-list acl_nat0 extended permit ip 10.99.4.0 255.255.255.0 10.120.1.0 255.255.255.0
nat (inside) 0 access-list acl_nat0
crypto ipsec transform-set test-QM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 43200
crypto ipsec security-association lifetime kilobytes 4608000
crypto map mymap 10 match address QM-test
crypto map mymap 10 set peer a.a.a.a
crypto map mymap 10 set transform-set test-QM
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash…
0
I have been trying to work with Sonicwall support on this issue and have made no progress.  We have been using the appliance in the past with split tunnel enabled but, due to security requirements, we can no longer allow split tunnel.  If we turn it off,  remote users can access internal resources we have configured, but cannot access anything on the Internet. It seems that we need to create a resource which is "anything" on the Internet but we don't know how to do that. We don't see any kind of wild card options.  We have not given our users access to "Any" resource.  We need to specifically define the resource they have access to.  We need an "Internet" resource and then we can give them access to that.  Is this possible.  Or, is there some other way to approach this?

Sonicwall support had us upgrade the firmware to 11.40-468 with the 708 hotfixes but that did not create an options for resolving this requirement.
0
We're using a Cisco RV320 at one of our locations.
It's primarily used for two Hardware VPN's using IPSec.  Tunnel 1 goes to our hosted server (which has no issues) and Tunnel 2 goes to a Rogers hosted server.

Recently, the Rogers hosted server location changed their WAN IP.  Therefore, I rebuilt Tunnel 2 to point to the new WAN IP and was able to establish the connection and the Tunnel went UP.  All remote LAN IP's and IPSec protocols remained the same, the only change was the WAN IP.

Since this change, accessing remote server resources on Tunnel 2 is intermittent.  i.e in the morning it will be inaccessible, but a few hours in the afternoon it will be accessible  During this whole time, VPN Tunnel 2 remains UP and doesn't go down, we just cannot communicate with the Remote LAN IP....

I asked the Rogers tech to change back to the old Remote WAN IP for testing.  As soon as we changed back to the old Remote WAN IP, all resources became available again.....  We then changed back to the new Remote WAN IP and server resources once again became unavailable.  During these VPN changes, I've made sure to reboot our Cisco RV320 numerous time's as well as rebuilt this tunnel.

In addition to this, we have 4 other locations with the same Cisco RV320 on the same firmware connecting to the old Remote WAN IP of the Rogers hosted server.  We briefly tested the remote WAN IP change on another router's Tunnel 2, and the same issue occurred as it did on the other one.

My …
0
I got a /23 public subnet from my provider with their gateway within that subnet x.x.91.1/23. I configured my FW with an IP address from that subnet x.x.90.1 and ping is allowed on the FW outside interface, I am trying to setup a IPSec vpn from this site back to the HQ. From HQ and my PC at home, I can ping their gateway x.x.91.1 but cannot ping  x.x.90.1. I checked in looking glass bgp table and that subnet is routable on the Internet.
They said that everything is configured correctly on their end and the issue is from my end. I am not sure I agree with them but I am not sure how to validate my argument. Thanks
0
i have 2 ubuntu servers on in home and one on a remote server and both are running ubuntu server 16.04

i followed this guide to install and configure strongswan https://raymii.org/s/tutorials/IPSEC_vpn_with_Ubuntu_16.04.html

it worked fine on my localserver but not on the remote server even when accessing the my localserver remotely it works just fine

i am stuck .. im not sure what i am doing wrong .. hoping someone on here can help- my host says that my ubuntu install is mostly* stock with little to no mods - though ive noticed some file permissions where changed

https://imlost.me/server.txt https://imlost.me/client.txt
0
Hi Guys

I need to find a way to allow the 10.0.0.0/24 network to be reached from 10.10.1.0/24 – 10.10.3.0/24 networks. Given little documentation, I need the help to allow for communication between the networks, trying to achieve the below (sorry, I know it is sketchy)
 
10.10.1.0/24 >>> PING >>>> 10.0.0.0/24
10.10.3.0/24 >>> PING >>>> 10.0.0.0/24
 
10.0.0.0/24 >>> PING >>>> 10.10.1.0/24
10.0.0.0/24 >>> PING >>>> 10.10.3.0/24

The below is .conf file I pulled from our OpenSwan 2.2.6, this .conf file is for our 10.10.1.10/24 network (the 10.10.3.0/24 network is similar)
 
conn ifly-pen
        auto=start
        type=tunnel
        left=%defaultroute
        leftsubnets={172.17.0.0/16 10.0.0.0/24}
        leftid=54.153.249.30
        right=115.70.193.138
        rightid=115.70.193.138
        rightsubnets={10.10.1.0/24}
        authby=secret
        ike=aes128-sha1;modp1024
        esp=aes128-sha1
        pfs=no
        forceencaps=yes
        force_keepalive=yes
        keep_alive=10
        ikelifetime=8h
        keylife=8h
 
You can see, the leftsubnets allows for communication to the 10.0.0.0/24 network from the 10.10.1.0/24 network. However, in the 10.10.1.0/24 network, when I ping the 10.0.0.1 IP address I get no response, see Ping.png and Tracert.png
 
Our OpenSwan IP is 172.17.0.6 and it is a VM in AWS, you can see the above is routing through the 10.10.1.1 (on the 10.10.1.0 network, router), through to the 172.17.0.6 but then goes …
0
Hello, I started to configure a PFSense, version 2.4.1. I want to know if it is possible to configure an IPsec multi-WAN failover

Has anyone had any experience configuring this? I already configured the DUAL WAN Failover on the PFSense

I would like that the VPN tunnel can be able to stay up if the WAN fails over.

Thanks in advance
0
Hi All,

We have two Cisco ASA 5505 Firewalls that are running a site to site VPN, one is in China the other is in the UK. The China ASA is the initiator.

This isn't something I set up it was something that was set up years ago and it has been working perfectly until about 6 weeks ago when one day it just stopped. If I try to ping a host from China to Manchester I can see MM_WAIT_MSG2 on the China ASA and MM_WAIT_MSG3 on the UK side but it never gets any further.

No config was changed it simply stopped working one day. I'm fairly new to Cisco. I could see that the time was out on the China side so I corrected this without success. Below is a snippet from each ASA that I think is relevant to the VPN. Can anyone offer any suggestions?

----- China ------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 195.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 43200

------ UK --------

crypto ipsec ikev1 transform-set VPN esp-3des esp-md5-hmac
crypto map VPNMAP 1 match address VPNACL
crypto map VPNMAP 1 set peer 202.x.x.x
crypto map VPNMAP 1 set ikev1 transform-set VPN
crypto map VPNMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption 3des
 hash sha
 …
0
We have multiple branches and sites that are connected to main Data Centre. As for now the WAN is protected (traffic is encrypted via IPSec). Objective: I want to make sure that all traffic when it leave the host is also encrypted. There should be no gap (un-encrypted data in motion) regardless within the LAN or WAN.
The concerns from the network engineer, is that if we implement Host to Host IPSec, it will be a tunnel within tunnel. It will decrease network performance.
How do we ensure all the traffic are encrypted? Any other available solutions?
0
Who's Defending Your Organization from Threats?
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

I have a main office running OpenVPN on Untangle v9.4 (I know, but they don't want to spend the money to upgrade and reconnect all of the offices) The remote offices are all on different subnets, and I have no problem reaching the main office by IP address or hostname from the remote office computers. From the main office, I am unable to ping or communicate with any of the remote offices. There are no issues with the main office connecting to the internet, but I am unable to communicate with the connected networks. The OpenVPN connectivity at each office is using a Ubiquiti Edgerouter-X with the config file imported and I use my laptop to support the various offices via a software client OpenVPN connection. When I connect to the OpenVPN server at the main office using my laptop, I am able to ping, use RDP, whatever, I can even use NSLOOKUP from the DC in the main office as the server and get the IP Addresses for the systems in the remote offices. Trying to run a tracert from the cli on the DC server in the main office gives me a first hop that is the LAN address of the Untangle box, but times out on every other hop. This looks like a route issue to me, but I haven't been able to add a static route in any form that allows me to communicate with the remote networks. Help!
0
Hello,

Our messaging system shows a few unuaual user login from Lkorodu, Lagos in Nigeria.  

Is there any good website or is it possible to list networks being used by Lkorodu, Lagos instead of the entire Nigeria?

Please advise.
0
Hi, I connected two asa5505 with a crossover cable to learn site2site vpn, I have these configures for both but it just not working, there are no activities on the outside interfaces. I have tested each asa5505 connected to my home LAN with internet access to make sure the interfaces are working. Thanks!


ASA Version 8.2(5)
!
hostname asa-a
domain-name asa-a.domain
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 10.1.1.1 255.255.255.0
!
ftp mode passive
dns server-group DefaultDNS
 domain-name asa-a.domain
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.2.2.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn …
0
Hi all,

I needassistance in deploying some config changes on a ikev2 site to site ipsec VPN on a cisco router. The VPN is currently setup with ipv4 addresses. i.e. peer ip and identity addresses are ipv4. I have been requested to change the remote ipv4 peer ip for a fqdn i.e. ipsec.abc.com. Should I just change the remote ip for the fqdn where ever it pops up? Or are there any other changes that need to me made in order to support this change. On my side we will continue to use ipv4 address.
If you have a template I can follow, that would be awesome.
Thanks and kind regards.
0
Hi

I'm trying to establish ITSec VPN for my firewall with another vendor in remote site.

The tunnel is not getting UP. The remote vendor says they allowed UDP port 500 and 4500.

But I suspect there is some issue at their end on opening ports above.

1. How do I confirm the udp ports 500 and 4500 is opened above ? I tried using portquiry and it seems not accurate.
It says port is opened for any port I scan. How do I verify port 500 or 4500 is opened or closed at their end ?

2. Another thing is when VPN not getting UP, I want to run some debug in Cisco ASA.
Last time when I setup IPsec tunnel for Fortigate firewall, based on debug I can see where it is failing. Phase1 or Phase2.
In Cisco ASA, which debug commands will tell me where it is failing, how to see traffic comming in from remote end or not ?

Thanks
0
Hi

Where can i get the ipsec information is it in the router or Firewall.
0
Good day guys ,
i have two fortigate one in the HQ and other one in Brench
in the first stage i have wan 1 and wan 2 in both side " speicified link and ADSL for internet " 
after that i made wan 3 ADSL also on fortigate of HQ and i make VPN ipsec between two sides
probleme is ADSL 1 of wan 1 and ADSL 2 of wan 3 in fortigate of HQ  don't work when the IP gateway is different , knowing that two adresses of ADSL found in same plage of my ISP ,
if two adresses have same gateway ip adress work very well
really  i found that peculiar
Fortigate 60 E
version 5.6.2
0
I have a ASA5510 and I have the  Management port  config  with 192.168.2.1/24  I configured my computer to 192.168.2.6/24 default gateways is 192.168.2.1 and I can not  get into the  ASA


ciscoasa# sh run
: Saved
:
ASA Version 9.1(1)
!
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging console critical
logging monitor critical
logging asdm informational
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-716.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout …
0
I'm having difficulties with setting up a new site to site vpn to two other sites. I currently have a site to site working with from the 128.0 to the 2.0 networks.  I have a new site which I'm trying to configure a site to site vpn to the other two sites through the vpn wizard and they aren't connecting.  I went through the ASDM site to site vpn wizard and it worked for the first one but it doesn't for the new site to the others.  I have included the configs below.

192.168.1.0 NETWORK
:
ASA Version 9.1(6)
!
hostname ciscoasa
enable password OlOxQ1nyrZ49h6MK encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 104.201.x.x 255.255.255.252
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network EMAIL
 host 192.168.1.253
 description Woodchuck
object network Webserver
 host 192.168.1.254
 description ETIMAIN
object network cl
 subnet 192.168.2.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
 subnet 192.168.1.0 255.255.255.0
object network SC
 subnet 172.172.128.0 255.255.255.0
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list…
0
Industry Leaders: We Want Your Opinion!
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Hello;

Am facing an issue where my Cisco ASR 1002-X keeps rebooting itself at random time. When i run the show version, i can see the reason for reload is: critical process fault, fman_fp_image, fp_0_0, rc=139

On my syslog server, i keep getting this error: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:171 TS:00000041045846946120 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error,

 I dont know if that could be the reason of my router reload or if it's an IOS bug, am running asr1002x-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin.

 
Your help will be highly appreciated.
0
Good morning everyone. Let me describe my environment - I have DA setup on server 2016, running on 2 servers and loadbalanced on a Kemp. NLS servers are on dedicated, clustered servers as well. Direct access seems to be running ok but every day I get a random user calling with the same issue as the other.

Scenario: Users are outside the network connected through DA. Their DA connection will drop and I will get the these errors in the event log of the DA server they are connected to (events attached) "An IPsec extended mode negotiation failed. The corresponding main mode security association has been deleted." and "An IPsec main mode negotiation failed.". Then Direct Access will be stuck in the connecting status. The user then simply shuts down and calls it a night. When they come into the office the next morning, they log into the network but their computer's network domain is on public or private and not to ourdomain.local. The only way to fix it is to pull out the DA registry keys and reboot - although this is not a good or safe solution. I have verified the NLS servers are up and accessible. And again, it doesnt happen to everyone, only about 1 out of every 5 users.

What would make the local computers come up on the public or private network right at bootup?

Any help would be GREATLY appreciated!
1.txt
2.txt
0
I am creating site to site ipsec vpn tunnel with cisco asa 5506x and 5555. Now the 5506x firewall i m keeping it in dmz. Can i keep the outside int and inside int ip  of 5506x in same subnet.
0
We currently use OpenVPN, as well as L2TP over IPSec VPN on our Linux servers (CentOS 6.x mostly). Both VPN servers are running properly. However, while each of the physical servers have several IPs assigned to them, the VPN is always able to run on one IP address only.

What we need:

A user connects to our server (either via OpenVPN or via L2TP over IPsec VPN), the server picks a random server IP address instead of just one for all users.

Basically, what we need is a server side IP address rotation for the VPN.
0
There is an IPSEC tunnel from a SRX240H2 to a Sophos UTM 9.

The tunnel is up most of the time but goes ocassionally down. And I wonder if the following could be related to the problem.

When the Sophos appliance sends this (from capture on the SRX):

Frame 10273: 310 bytes on wire (2480 bits), 310 bytes captured (2480 bits)
Juniper Ethernet
Ethernet II, Src: Cisco_xx.xx.xx (30:e4:db:xx.xx.xx), Dst: Netscreen_xx.xx.xx (00:10:db:xx.xx.xx)
Internet Protocol Version 4, Src: 2.2.2.2, Dst: 1.1.1.1
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 284
    Identification: 0xffe2 (65506)
    Flags: 0x02 (Don't Fragment)
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 57
    Protocol: UDP (17)
    Header checksum: 0x15b1 [validation disabled]
    [Header checksum status: Unverified]
    Source: 2.2.2.2
    Destination: 1.1.1.1
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 500, Dst Port: 500
Internet Security Association and Key Management Protocol
    Initiator SPI: 91ee52a313c081d6
    Responder SPI: 0000000000000000
    Next payload:…
0
So I've been tasked with creating an IPSec VPN using a Cisco RV325. I've followed through several guides to get this setup and as it currently stands, I've managed to create the tunnel, connect and authenticate to the VPN successfully using the Shrewsoft VPN Client. However, once connected with either the IPSec VPN or the EasyVPN, I am able to ping the internal address of the router, but unable to ping any other device on the remote LAN. I've made sure firewalls are turned off for testing purposes just to ensure the packets aren't being blocked. I've also tried RDP connections to devices with no joy.

Interestingly, when I tried using the PPTP VPN through the RV325 (using windows 'connect to a network') I'm able to ping everything and remote access servers etc.

I've noticed that the RV325 will give you a virtual IP address range (which the VPN client is picking up) although it seems like there's no kind of address translation or routing to the subnet I need to get to. My remote LAN uses 172.16.8.x/24, the virtual addresses use 172.16.9.x/24.

Please let me know if any log files, config files or screenshots of anything would be of any troubleshooting help and I'll get them posted. Any ideas welcome!

Many thanks in advanced,
Luke
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>