Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hello Expert,

I have an issue with an IPSEC configuration on a ASR 1001-X. I use a crypto map based implementation but it's not working. I make a capture on the device facing the ASR and I have no ESP packet out of the ASR. I can ping the remote IPSec peer but nothing else.

Below the configuration, did you see something missing ?

ip vrf Ivrf
 description Clear side VRF
!
ip vrf Fvrf
 description Cypher side VRF (front door vrf)
 
crypto keyring Key_test vrf Fvrf
  pre-shared-key address 4.4.4.1 key toto123
 
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 
 
crypto isakmp profile ISAK_TEST
   vrf Ivrf
   keyring Key_test
   self-identity address
   match identity address 4.4.4.1 255.255.255.255 Fvrf
   initiate mode aggressive
   local-address Loopback2
   
crypto ipsec transform-set ESP-NULL esp-null esp-sha-hmac
 mode tunnel
 
crypto map CRYPTO_TEST 1 ipsec-isakmp
 description TEST
 set peer 4.4.4.1
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 28800
 set security-association idle-time 28800
 set transform-set ESP-NULL
 set isakmp-profile ISAK_TEST
 match address CRYPTOACL_TEST
 reverse-route remote-peer 4.4.4.1 static
 
interface Port-channel1.419
 description cypher side interface
 encapsulation dot1Q 419
 ip vrf forwarding Fvrf
 ip address 10.58.10.26 255.255.255.248
 standby version 2
 standby 419 ip 10.58.10.25
 standby 419 …
0
We have several small networks connected to our corporate office over IPSec tunnels. At our office, we have a Windows 2008 R2 server running NPS performing RADIUS authentication with WAPs. Up until now, everything has been running fine. But we connected a new office and we can't get any of our client working on the WAP at the remote office. We can see the RADIUS authentication request come from the WAP across the VPN and hit the server, the server responds back to the WAP, but then nothing happens on the requesting client. All other traffic over the VPN comes across without issue.

The difference at this new network is that we're trying a Netgate PFsense firewall instead of our normal SonicWall. The only thing I can come up with is the Pfsense firewall is interfering with the WAP in some form, but so far I haven't found anything that would prevent that.

The WAPs being used (at both old and new locations) are Open-Mesh MR1750v2
0
Hello Master.
 
i have a fortigate  60D and a Cyberoam, and i had been configure VPN IPSec between it.
the VPN is connected but i cant access the computer (RDP, PING, WEB, HTTPS) in the other side.
i try to allow connection in filter rule in the both side, but i still cant access.
i try step by step in this link, and still cant access

https://kb.cyberoam.com/default.asp?id=1945
 
any suggestion for my case? some tutorial link or something i must to do.

Thanks Very Much
0
Pros,

This year I have a project to set up Cisco PFR technology to optimize company's network. The company has 6 offices (A to F) all over the world which connects to each other by IPSec over GRE tunnels over the internet.

Unlike some traditional PFR scenarios, we don't have a hub-spoke deployment. Instead, the 6 offices are fully meshed with each other. Each office has 1-2 VPN routers and each VPN router linked with two different ISPs. Any two offices are connected over encrypted point to point GRE tunnels.

My questions is: am I able to configure PFRv3 based on this point to point GRE tunnels deployment rather than changing the whole infrastructure to DMVPN/multi-point GRE tunnels? Is it supported by some Cisco user guide?

What we want to achieve is to always use the low latency/packet loss GRE tunnel as the active network connection between the two offices/countries. The current network topology is too complicated so we want to minimize the changes. Configurations samples of one office are as below:

[ Cisco ISR4431 ]

interface Tunnel22
  ip address 192.168.240.77 255.255.255.252
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel protection ipsec profile corporate-ipsec
!
interface Tunnel23
 ip address 192.168.240.101 255.255.255.252
 ip tcp adjust-mss 1300
 tunnel source x.x.x.x
 tunnel destination x.x.x.x
 tunnel protection ipsec profile corporate-ipsec
!
interface GigabitEthernet0/0/0
 ip address x.x.x.x 255.255.255.240
!
0
I am having issues with 4 sties. Each have 4 ipsec vpn tunnel inbetween to cross connection and application access.

But only one application is giving me an issue. The server is on Site (A) and site (B) but soon to be (A) only. Two other site (C) and (D) are VPNing in to site (A) to access the server.

When you minimize the application (which is working true a RPD connection) and work on something else, once you get back to the application there is a reconnecting issue. Takes about 2-3 mins to get the application back working.

I've been having some issue with the VPN and I am not a pro with vpn log. Can anyone help me?

2017-02-01, 08:12:08      VPN Log      [g2gips0] #8461: [Tunnel Established] IPsec SA established {ESP=>0xc7488fd9 < 0xcd1b9f35}
2017-02-01, 08:12:08      VPN Log      [g2gips0] #8454: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcee3770f) not found (maybe expired)
2017-02-01, 08:15:15      VPN Log      [g2gips0] #8462: [Tunnel Established] sent MR3, ISAKMP SA established
2017-02-01, 08:19:30      VPN Log      [g2gips3] #8463: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0xc8dcbf5b < 0xcc9dcbd1 AH=>0xca3fff03 < 0xc2c1a9a1}
2017-02-01, 08:19:30      VPN Log      [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xcf402c1f) not found (maybe expired)
2017-02-01, 08:19:30      VPN Log      [g2gips3] #8456: [Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_AH SA(0xc8a48df1) not found (maybe expired)
2017-02-01, …
0
Current config: ASA-5505, vASA 8.2 (5).  Serves our 1-15 host network, and has a site-to-site IPSec VPN to a client configured (establishes automatically).  Of course, all non local or internet traffic is sent to the VPN.  Been working great for over a year no hiccups.
Eth0 is the "outside" interface (security level 0), Eth1-7 are the "inside" interfaces, security level 100.  All Ipv4, no ipv6.

I'm adding a remote office, and I want the remote office to effectively act as part of the original local office.  It will have its own 5505 device, and a static ip address(s) from our ISP.  I plan to use a 2nd site-to-site VPN to connect.  The particulars are where I'm lost a bit - Cisco firewall configuration is not my forte.  How I envision the remote office to behave is hosts there will obtain their ip address via the local 5505.  The VPN there needs to act pretty much as a NAT bridge.  The remote office will still need the same access to our site-to-site client, and also appear as hosts "of" our original local network.  They would have their own ip4 subnet.  The default gateway would be the inside ip address of the local 5505.
So it seems easy on the side of the new office I think.

Now the current local office:
Here's my guesses so far:  I have multiple public ip's to use, so set another "unused" current 5505 eth physical port as one of our other public ip's?  It appears this is set as a different VLAN? (Eth0 is currently VLAN2, Eth1-7 is VLAN1).  Then, create a …
0
I would like to configure Hong Kong Site H3C MSR 810 using IPSec site to site VPN to Singapore pfSense FW .Please provide the cli command (Comware 7)how to configure in MSR810  .Singapore site has configured their FW as configuration in attachment HQSG-pfSense.txt and Hong Kong configuration file are attachment H3CMSR810.txt

pfSense FW
-----------------
HQSG(WAN):321.321.321.321/28
Local LAN:192.168.100.0/24
H3CMSR810.txt
HQSG-pfSense.txt
0
Dear All,

I need help with the following:

I have three sites, A (Core is a Cisco 3560-X), B (Core is a Cisco 3560-X) and C... Site C is from an external entity that's connected to site B’s 2921 router and only accepts connections, from our side, from a /24 network they gave us…

For site A and B, they are connected using two Cisco Router 2921 (each are connected directly to the Ciscos 3560-X) that's using an IPSec Tunnel to encapsulate the communication for the internal networks...


Basically I want to reach site C, from site A, but because I need to NAT A’s internal network to the one that C accepts... This network is also declared on site B's 3560-X

How can I achieve this?

Some more information:

Site A internal network: 192.168.1.0/24
Site C network that they accept: 10.10.10.1/24

I know that this may seem very little information, but please ask and I’ll reply.
0
Hello,

I have been trying to install Openswan on Ubuntu, but I keep getting the following error,

029 "L2TP-PSK-noNAT": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

This is my ipsec.conf file

----------------------------------------------------------------------------------------------------
config setup
    dumpdir=/var/run/pluto/
    #in what directory should things started by setup (notably the Pluto daemon) be allowed to dump core?

    nat_traversal=yes
    #whether to accept/offer to support NAT (NAPT, also known as "IP Masqurade") workaround for IPsec

    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    #contains the networks that are allowed as subnet= for the remote client. In other words, the address ranges that may live behind a NAT router through which a client connects.

    protostack=netkey
    #decide which protocol stack is going to be used.

    force_keepalive=yes
    keep_alive=60
    # Send a keep-alive packet every 60 seconds.

conn L2TP-PSK-noNAT
    authby=secret
    #shared secret. Use rsasig for certificates.

    pfs=no
    #Disable pfs

    auto=add
    #the ipsec tunnel should be started and routes created when the ipsec daemon itself starts.

    keyingtries=3
    #Only negotiate a conn. 3 times.

    ikelifetime=8h
    keylife=1h

    ike=aes256-sha1,aes128-sha1,3des-sha1
    …
0
I had this question after viewing Site-to-Site VPN OpenSWAN in AWS VPC to a Sonicwall.

I now have 7 tunnels from StrongSWAN setup and connected to my different Sonicwall locations.  When the tunnel first comes up, traffic passes back and forth as expected.  If I come back and check the status of the tunnel several hours later, I find that i can no longer ping or make connections across the tunnel.  If I issue an ipsec restart, the traffic immediately begins to come through.

ipsec status all shows all of the tunnels as ESTABLISHED.

      AWS2SONCIWALL[178]: ESTABLISHED 48 minutes ago, 10.0.40.88[SITE_AWS_PUBLIC]... SITE_SONCIWALL_PUBLIC][SITE_SONICWALL_PUBLIC]]
      AWS2SONCIWALL{564}:  INSTALLED, TUNNEL, reqid 89, ESP in UDP SPIs: ce0c3d37_i 8997eece_o
      AWS2SONCIWALL{564}:   10.0.40.0/24 === 192.168.15.0/24
0
Hi,

I am having trouble configuring the following IPSEC tunnel on a Cisco 857w. This almost certainly due to my lack of familiarity with Cisco CLI than anything else although i have good understand of networking concepts, my familiarity is with other devices.

Although i have managed to get all of these requirements, except the IPSEC tunnel, to work on my own (google :)) I would appreciate a full list of commands to configure from start to finish so i can verify my methods and learn some more.

I am unfortunately not able to provide current running config so i am hoping that someone can provide me with a series of commands to configure the follow from a factory reset state. IPs/users/passwords are place holders.

please feel free to add an other settings you would advise or feel i have missed along with a reason!

IPs/users/passwords are dummy place holders.
General Settings
  • Set admin passwords to password1
  • Set internal LAN address to 192.160.1.0/24
  • Set No DHCP service on LAN
  • Set ADSL interface to DHCP with user name of username@domain.com and password of password1
  • Set ADSL to always stay connected
  • Set DNS to respond on LAN and forward request to ISP DNS servers on 8.8.8.8 and 8.8.4.4 (placeholder ip addresses)
  • Route all internet out from LAN via ADSL service
  • Allow remote access to manage the Cisco from the ADSL service (yes i understand the risks, it will be disabled in the end)
  • Allow IPSEC tunnel to connect with the following settings:
0
Replacing a very old Cisco router at my main office with a SonicWall TZ300.  Have a VPN between main office and remote office.  At remote office have a Cisco box.  When I setup the new SonicWall I have internet access and I setup the VPN.  The VPN comes up but I am unable to ping or see anything from either end except the internal IP address of the SonicWall and The Cisco. I can see both routers from both locations.  But I am unable to see anything beyond the routers either by IP address or name.   When the VPN comes up it shows local IP 192.168.1.1 - 192.168.1.254 and remote IP 192.168.3.1 - 192.168.3.254 and Gateway as the WAN IP.  These are correct.  Recommendations please????
0
Which Firewall device can you guys recommend for effective IDS, gateway, VPN (IPSEC, SSL), IPS. I was told about Cyberoam, ASA. i need objective advise pls. Not minding cash really.
0
Our network has two ISP providers, the first handles MPLS and the second is a site to site VPN tunnel(backup). The default gateway of our network is a layer 3 Cisco SG300 switch. We have routing tables pointing to the MPLS for traffic out\in and it works great. The default route or "route of last resort" (0.0.0.0/0) which is the site to site VPN tunnel. This does not work if the MPLS goes down.

Is there another protocol I should be using? We want the failover to be automatic.
0
i am trying to configure QOS for site to site VPN,  i want to dedicate 50% of the bandwidth on the physical interface to VPN traffic, then the remaining bandwidth to internet traffic. the connection to intranet server is very slow and the internet link is 10 mbps.

i have tried couple of things my self but it didn't work, perhaps you can just check my configuration and make few suggestions.

access-list 112 permit ip any 192.168.0.0 0.0.0.255

class-map match-all test-qos
 match access-group 112
policy-map qos-pmap
 class test-qos
  bandwidth percent 50
Class class-default
Average Rate Traffic Shaping cir 5000000

interface Tunnel0
 ip address 172.16.60.1 255.255.255.252
  qos pre-classify

interface GigabitEthernet0/0
 bandwidth 15000
 service-policy output qos-pmap
0
I have been trying to connect to our local network through a firebox firewall for about three days now and cannot get a successful connection. I've tried to change as many combinations of settings as possible but I've only gotten this far:

Shrewsoft logs:
config loaded for site 'Traveling (15).vpn'
attached to key daemon ...
peer configured
iskamp proposal configured
esp proposal configured
client configured
local id configured
remote id configured
pre-shared key configured
bringing up tunnel ...
network device configured
tunnel enabled
session terminated by gateway
tunnel disabled
detached from key daemon

Open in new window

The tunnel is enabled for about 3-5 seconds before it is terminated.

Here are the IKE logs from shrewsoft's debugging service:
16/07/22 14:21:51 ## : IKE Daemon, ver 2.2.2
16/07/22 14:21:51 ## : Copyright 2013 Shrew Soft Inc.
16/07/22 14:21:51 ## : This product linked OpenSSL 1.0.1c 10 May 2012
16/07/22 14:21:51 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log'
16/07/22 14:21:51 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap'
16/07/22 14:21:51 ii : rebuilding vnet device list ...
16/07/22 14:21:51 ii : device ROOT\VNET\0000 disabled
16/07/22 14:21:51 ii : network process thread begin ...
16/07/22 14:21:51 ii : ipc server process thread begin ...
16/07/22 14:21:51 ii : pfkey process thread begin ...
16/07/22 14:21:59 ii : ipc client process thread begin ...
16/07/22 14:21:59 <A : peer config add 

Open in new window

0
We need to construct a GRE VPN tunnel but our firewall doesn't support the protocol so we have a Cisco 1900 we've put in place to accomplish this.  The customer, however, wishes for the traffic to still traverse the firewall.  Effectively we have: Internet <--> (pu.bl.ic.IP):firewall:(pr.iv.at.e.IP) <--> LAN <--> (pr.iv.at.e.IP):router.  We've created a 1-to-1 NAT (and firewall rule for IPSec, GRE, UDP 4500, UDP 500) on the firewall to NAT traffic for the router's single interface on the private LAN to a public IP that we'd use as our peer for the VPN tunnel.  The concern here is that the router doesn't know anything about the public IP we've reserved for (at least not at the moment), so when requests to build the tunnel are sent to it and end up at the private (NAT'd) interface of the router, the tunnel still wouldn't build.  Just looking for some suggestions...thanks in advance.
0
I have an ASA 9.6 with 3 L2L vpns configured. I also have Remote client configured on the firewall. The tunnels seem to be up and I can see sessions created for the L2L vpns. The problem  is that after connecting and running continuous pings, the packets have register a drop(request timed out). This has resulted to some servers being inaccessible as the connection times out when connecting. See the screen captures for pings.
Capture-ping.PNG
0
Hi All,

I have Juniper Hub and Spoke setup for VPNs.  I have one VPN in particular that works half the time.  Sometimes the IPSEC tunnel comes up but other times you have tinker with it to get it work.

Hub is SRX650 and Spoke is SRX220.  Below you will see SRX220 shows both IPSEC Phase 1 but not Phase 2.

root@detroitXMT% cli
root@detroitXMT> show security ike sa
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
6732129 UP     99c4a7376e8e340d  679777e45739ae5f  Main           63.158.0.122  

{primary:node0}
root@FW01> show security ike sa | match 173.167
2125123 DOWN   ffedd9cadb36c2f1  0000000000000000  Main           173.167.8.241


Attached is configuration for VPN for spoke:
gateway connect-to-Bedford {
            ike-policy daystar-p1-policy;
            address 63.158.0.122;
            local-identity inet 173.167.8.241;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        inactive: traceoptions {
            flag all;
        }
        policy daystar-p2-policy {
            proposal-set standard;
        }
        vpn VPN-to-Bedford {
            bind-interface st0.0;
            ike {
                gateway connect-to-Bedford;
                ipsec-policy daystar-p2-policy;
            }
            establish-tunnels immediately;

VPN Config for HUB:

{primary:node0}[edit security ike gateway connect-to-detroitXMT]
root@FW01# show
ike-policy daystar-p1-policy;
0
This past Friday I entered a new work environment where on-site and remote network support had vacated suddenly leaving a void and many ? in their place.  I'm new to the world of Cisco double NAT having been hardware constrained to an old version of ASA @ my previous employer, I'm hopefully getting up to speed now.  Friday I was asked to look at a long standing issue with their main financial server not being able to establish external communications with the vendor's remote support software.  I quickly saw the cause of the traffic disruption, one of the VPNs recently configured on the device, but I didn't want to make any big changes until I had a better understanding of exactly what was being done with the config.

Here are the good bits...

object network FIN_INTERNAL
 host 10.9.1.15
 description FIN_INTERNAL

access-list OUTSIDE_cryptomap_7 extended permit ip host 10.5.1.225 host 192.50.235.55

object network FIN_INTERNAL
 nat (INSIDE,OUTSIDE) static 10.5.1.225

crypto map OUTSIDE_map 8 match address OUTSIDE_cryptomap_7
crypto map OUTSIDE_map 8 set peer 192.150.110.12

Why would this be the setup of a VPN on a server that has external traffic requirements to multiple non-VPN remote sites?

What is the benefit to this setup?  Is there a workaround to keep VPN setup as-is but restore regular http/https traffic to the server?
   
-rockfly
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>