[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hello EE,

Our VPN firewall prevents ipV6 (blocks) so our Visual Studio debugger is failing to connect.
I wonder if anyone knows of a way in Visual Studio to turn off ipV6 and only use IPv4.
0
Concerto Cloud for Software Providers & ISVs
LVL 5
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Does anyone know why the IPSec tunnel would show one way encapsulation? This is typically a routing issue but I checked the routing table and the remote network is there and it is send to the tunnel interface.

I am attaching the screenshot.

TIA,
LN
0
Hi friends,

I'm getting very worried because a few days ago I've been posting the same doubt and editing the text to make it clearer, but I have no response from the Experts Exchange or any other Expert (there's a lot of good ones here)... I've been a Experts Exchange subscriber for over 5 years now... and never before have I been without the help of the experts ... I do not understand why it was left in oblivion.

Well... lets get to the point...

Please, I need to connect a strongswan VPN (my side) with another VPN software (other side) but the admin from "the other side doesn't provides enough info... so I'm trying to figure out and troubleshoot this with trial and error... already for many days and a lot of migraines...

They (the other side) provide me a PSK (OK)... already configured in ipsec.secrets and they also gave me the following instructions:  

1st Phase (IKE V2)                                          
DH 2 = 1024 bits                                           
SHA-256                                          
AES-256                                          
Lifetime = 1440m                                           
                                          
2nd Phase (ESP)                                          
PFS - DH 2 - 1024 bits                                          
SHA-256                                          
AES-256                                          
Lifetime = 3600s

My question is (please): how do I configure this specific connection? especially the parameters ike and esp; anything else is needed in the configuration example below?

conn myside-otherside
      keyingtries=%forever
        keyexchange=ikev2
        compress=no
        authby=secret
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        ike=???
        …
0
I have several colleagues complaining that when they are on VPN - when they download something - the download stop in around 75mb.  It then gives a network error.  Users can resume the download - but again causing issues.

Is there a setting in Dell Sonicwall restricting this?

Pretty sure there is no GPO setup
0
I recently upgraded from a 5505 to a 5508 and due to the new IOS, part of my configuration no longer works. We deal with a 3rd party vendor that requires VPN traffic to come from a specific subnet. So I setup a policy NAT to mask our private IP. Here are both configurations. I am certain I missed something. Thoughts?

ASA Version 8.2(1)

access-list inside_nat2_outbound extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list inside_nat2_outbound extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.57.1.0 255.255.255.0 x.x.x.x 255.255.252.0
access-list outside_7_cryptomap extended permit ip 10.224.166.112 255.255.255.240 x.x.x.x 255.255.252.0
access-list inside_nat10_outbound extended permit ip any any

global (outside) 2 10.224.166.112
global (outside) 10 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 2 access-list inside_nat2_outbound
nat (inside) 10 access-list inside_nat10_outbound

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 7 match address outside_7_cryptomap
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set transform-set ESP-AES-128-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group …
0
This applies to TLS as well ass IPSec.

The purpose of the Diffie Hellman key exchange is to agree on a shared secret without sending it on the wire. I have always believed that every DH-session is unique with random large primes. Is DH using the same numbers every time when conneting to the same peer/device/server?

The reason for my question is that I read that PFS (Perfect Forward Secrecy) is being used on top of DH to make sure that the key is unique for every session.

Why PFS when we have DH? Does not compute. :)
0
If I configure sonic wall tz300 to get WAN ip from Comcast GW DHCP, will I still be able to configure the VPN for remote access?   I am mulling several different topologies, and if this could work this seems like the easiest way.
0
I have a load balancer with a public VIP. The partner can only get the site if they ignore that they perceive the site as unsafe.
I’m fairly the certain my very is valid because other VIPs use it. What are some reasons a client might not trust the cert? Brain storming question.
0
My issue is we set some cookies, using JS, with a 1 year expiration and that particular cookie didn't have the secure flag set. We now want to update the cookies to have the secure flag set. The code that creates the cookies now has the "secure" attribute and all new cookies have the "secure" flag. The issue is how do I update existing cookies? I'm assuming I have to destroy the cookie and then recreate it with the secure flag set? I don't know if there is any other way to do this? Also is there a way using JavaScript to detect if the cookie does have the flag set before deleting it?

Thanks!
0
We have ten gigabit interfaces. How much tunneled traffic would the device be able to push?
0
[Webinar] Cloud and Mobile-First Strategy
LVL 11
[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Visited a client site and ran various ‘my ip address’ site to determine what is the External IP address the provider assigned.  Noticed that each device resulted a different value.  For example their phone and their tablet gave different values where that last segment changed (xxx.xxx.xxx.19 and xxx.xxx.xxx.20), yet when we ran myipaddress in our device gave a whole different value in all segments.

We understand that the internet provider assign the cable modem or location a single dynamic external ip.  The location router managed a total different internal ip sequence values and assigns it to each device connecting to the wifi or router within the location.  Thus the cable modem has 1 IP address and the devices within the location has different ip address.

Why would the “my IP address” website display different IP address in all devices connected to the same wifi?
0
My son's computer keeps having internet connection issues.

-Is playing on a minecract server / minecraft client

Sometimes these apps are also open
-Twitch
-Discord

He is playing on a minecraft server.  and begins to experience lag more and more frequently before the crash.
Is there any way to track down the culprit?  We could assume that it is not enough RAM and go buy more RAM and the problem happens again and we are no better off.

I am looking for a way to gather information that can help tells us what thing( s ) is causing the problem(  s  )

sys info 2systxt.txt
0
hi everyone,

I have facing problems to configuration my domain. users internet permission I have used hosts files but not enough for me what is suitable thing for configuration of URLs

what about firewalls what is the best firewall for filtering the URLs ...


looking forward for reply urgent..


thanks
Asad
IT student
0
Hello
We have an IPSec VPN solution for a small number of sites.  Our users remote into two of the sites via IPSec VPN too.
We are going to move supplier and looking at moving from IPSec to MPLS.  We will look to migrate to AWS and/or move CRM out to other providers.  We also will moving from our on prem phone system to a cloud solution.
Has anyone got any recomendation around security, perfornance, limitation etc of each?
Thanks
0
Is there a way to find out who owns a domain even if they have domain Privacy added to their site?
0
VPN literally just stopped working for all of our users. No changes that I am aware of. Simple MS VPN connection to a VPN server.

Server side error:
 VPN2-112: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.
PC/Workstation off Network connection error:
Error 619: A connection to the remote computer could not be established, so the port for this connection was closed.

Server-side:
Windows firewall and anything that could be blocking is off. I see the users hit the network via Firepower but then the "Error 619".
If I truly need to provide them with a workstation cert, how do I go about doing this and efficiently for several people.

TIA
0
Hi All,

Im running an ASR 1000 with version XE 3.13.01.S (15.4(3)S1). Does it support SHA256 and AES256 for ikev1? I know it does for ikev2 but I am not sure about ikev1 both phase 1 and phase 2.
Here is what I found on a cisco website: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

"Support for the NGE control plane (ECDH and ECDSA) has been introduced with Version XE3.7 (15.2(4)S). Initial control plane SHA-2 support was for IKEv2 only, with IKEv1 support added in Version XE3.10 (15.3(3)S). AES-GCM-128 and AES-GCM-256 encryption algorithms have been supported for IKEv2 control plane protection since Version XE3.12 (15.4(2)S) and 15.4(2)T. NGE dataplane support was added in Version XE3.8 (15.3(1)S) for Octeon based platforms only (ASR1001-X, ASR1002-X, ESP-100, and ESP-200); dataplane support is not available for other ASR platforms."

Whats the difference between data plane support vs control plane support?

Thanks and kind regards.
0
Very strange, this morning when I turned on the computer I got a message that Malwarebytes (I have Pro version) has been turned off. When I turned it on, the option "Protection against malicious code" was switched off, and I can not switch it on! All other options are selectable and can be switched on, but not this option.

Last time I was in Manila I had similar problems with strange things happening. Then when I left the problems disappeared. And most often here in Manila I get warnings when connecting to the hotel wifi about insecure network or dangerous connection.

All kinds of small problems since 2 days when suddenly I got this problem with the message "Waiting for proxy tunnel" in Google Chrome and "TLS handshake" in Mozilla Firefox:

https://www.experts-exchange.com/questions/29058931/How-should-I-get-rid-of-the-message-Waiting-for-Proxy-Tunnel-in-Google-Chrome.html

Other problems: Can not use Google API any longer for connection to Google Translate API for my CAT tool. Can not switch input language any longer. Can not run Windows Update any longer:

https://www.experts-exchange.com/questions/29058918/Why-do-I-get-Windows-could-not-search-for-new-updates-in-my-Windows-7-Home-when-checking-for-updates.html

Other problems (continued):

Takes ages to save a text document or other document ("Not responding").
"Google has authentication problems" when logged in to Gmail.

Etc. etc. (new issues coming up all the time).
0
After I've configured the device I can't get out to internet via any of the pcs.  I can access the 5505 from and outside computer and can configure it via the ASDM so I'm not sure what the problem is.  Can someone verify my config below?

ASA Version 8.3(1)
!
hostname ciscoasa
enable password OlOxQ1nyrZ49h6MK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object network SCETI
 subnet 172.172.128.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object SCETI
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source …
0
Free Tool: ZipGrep
LVL 11
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

I need to look at a website. It is not a pentest itself. Just a vulnerability scan. What tools could I use to generate a complete report?
I also need to generate a less technical report.
0
I need a web service to remain secret and would use CloudFare or a similar technology to prevent DDoS attacks. Aside from DDoS, what other types of attacks are possible?

I assume my web service domain would be totally hidden, but need to be sure there is no other known threat to it.

Thanks
0
What options are there to protect a web service from a DOS attack?

IF the web service were accessed only by my Objective-C iPhone application, and nowhere else, is this web service protected by the "security through obscurity" model? Or, can hackers crack open the source code of the iPhone app, like Apple can?

What about if I put the URL to the web service into the SQLite database and encrypted the Path?

So, when my app needs to request information from the web service, it does a DB lookup in the SQLite database for the path to the web service. When it gets it, it decrypts it. Then, using a variable (in memory) only, it makes the web service call.

Does this protect from a DOS attack to that web service call?

Are there easier ways?

Will this work on Java for the Android?

What about on my website?

Thanks.
0
It seems Sky have changed their email servers to Yahoo and with it, changed the security settings. Until the other day all was working OK but then email stopped arriving. Sky deny all knowledge but from a conversation I had with their support team about another client I've been working with, and research I've done on the Internet it seems that the Sky incoming email servers have changed.
For IMAP it was imap.tools.sky.com and is now imap.mail.yahoo.com
For POP it was pop.tools.sky.com and is now pop.mail.yahoo.com

My client is using POP mail with Outlook 2010 so I have changed the server to pop.mail.yahoo.com and set port 995 and SSL=Yes but it still won't connect. Outgoing email is OK using the same username and password as incoming so that verifies the credentials. (I can also login to sky.com using the credentials).

Is there something I've missed?
0
Can loved one's or family members see my credit report if I put a security freeze on it?
0
Hi Sir,

Would like to ask for your help about the problem listed below,

[Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xccb797a8) not found (maybe expired)

Hoping that you can help me resolve this matter.


Thank you in advance.
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>