Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi, what is the correct way to tell vyatta the ports on an ipsec, we have to connect to a host that listens on two ports, is it done with space? comma seperated?

Example below:

tunnel 11 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group Our-Group-Their-Group-ESP
                    local {
                        prefix x.x.x.x/32
                    remote {
                        port 7007,9005 (seperate by comma? Space? Dash?)
                        prefix x.x.x.x/32

Open in new window

Starting with Angular 5
LVL 19
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

Which one is correct statement when comparing IKEv2 and IKEv1 ?

a. IKEv2 is more secure by requiring reauthentication for IKE SA.
b. IKEv2 is more reliable by requiring all messages to be acknowledged

Any suggestions ?

We are trying to authenticate from a Cisco ASA firewall with our Domain Controller that is hosted in Azure over a site to site VPN connection.  We have this working fine from the ASA to our on premise DCs using IPSec VPN.

Azure support have said we should add a rule on the NSG to allow this traffic through (they have tweaked it too) but does not work.  It times out on the firewall console (this is externally managed).

LDAP connection over the site to site VPNs to the DC works fine using LDAP.exe and i can bind to it.  

We are having loads of trouble configuring a Site2Site VPN with a pair of Watchguard T35 firewalls.
Neither is configured pretty much outside of the initial setup wizard.
The current site 2 site vpn is stock from the vpn configuration guide from Watchguard.

We tried a number of different configs, but have currently deleted them to restart fresh.
Also we are trying to set the connection to initiate from SiteB to SiteA just to limit randomness, but can set bidirection or SiteA to SiteB as initiator.  Doesn't really matter to us

My theories may be off, so I'll just throw out the logs from each to see what you may think is happening.

Thank you in advance.

Site A
*** WG Diagnostic Report for Gateway "AA-to-TC-Gateway" ***
Created On: Tue Oct 29 09:22:49 2019

	Error Messages for Gateway Endpoint #1(name "AA-to-TC-Gateway")
		        Oct 29 09:22:35 2019 ERROR  0x02030015 Message retry timeout. Check the connection between local and remote gateway endpoints.

[Gateway Summary]
	Gateway "AA-to-TC-Gateway" contains "1" gateway endpoint(s). IKE Version is IKEv1.
	  Gateway Endpoint #1 (name "AA-to-TC-Gateway") Enabled
		Mode: Main
		PFS: Disabled 	AlwaysUp: Disabled
		DPD: Enabled 	Keepalive: Disabled
		Local ID<->Remote ID: {IP_ADDR(A.A.A.A) <-> IP_ADDR(B.B.B.B)}
		Local GW_IP<->Remote GW_IP: {A.A.A.A <-> B.B.B.B}
		Outgoing Interface: eth0 (ifIndex=4)
			linkStatus=0 (0:unknown, 1:down, 2:up)
		Stored user messages:

Open in new window

I have two sites connected by a IPSec VPN.  I have conditional forwarders at each site for the other site so I can resolve computer names using the FQDN.  I can ping and resolve between the two sites.

At site one, I have about 50 Hyper-V hosts and they all live in Hyper-V manager on my management PC.  These hosts are managing a domain there at site 1.

At site two, I have about 25 hosts and they live in Hyper-V manager on my management PC at site 2.  The hosts in site 2 are not on a domain.  The hosts are standalone.

Thinking myself clever, I decided to add the hosts from site 2 to the site 1 Hyper-V manager.  It's not working, even when I try "manage as" so I was wondering is it's even doable....adding workgroup based servers to a Hyper-V manager that manages hosts on a domain.

I was thinking that they are just Hyper-V hosts and they should add just fine, but I'm not finding that to be the case.


It's not working.

OH yeah, site 1 hosts are all 2012 R2 and site 2 hosts are all 2016.  I'm adding to windows 10 enterprise machines.  On MS site, they say that should work.,

I am using Application  WARP apps in iPhone.  I just got this message; do any expert knows what it means? Help please.

Warp message
I wanted to test and eventually use our router's (PepLink Balance One) build in VPN server to access resources on the network for users.
After setting up the VPN server (in the router the feature is called Remote User Access) I choose L2TP with IPsec.
On the client side I used the Windows 10 built in VPN Connection option and after a few tweakings I succeeded in connecting to the server from an outside network.
The problem is that I could only connect to one share, using the file server's internal IP address 192.168.0.x. Cannot access (or ping) anything by the NetBIOS name.
Next step I changed the protocol to PPTP on the server and managed to connect with the client, however still not able to access resources, except by IP address \\<Internal IP address>\Share.
Just as a side note, we don't have a domain, just peer to peer.
We have a site to site VPN tunnel which has been performing well for 4 years.  We are seeing increased traffic this week and are seeing select devices unable to reliably access the tunnel for periods of several minutes to several hours while other devices are able to connect across the tunnel.

The VPN tunnel is used to access a terminal server in a remote site using handheld computers running Windows CE.  We typcially have 12 devices deployed.  Currently we have 18 devices deployed for a 2 week project.

We are seeing that during peak times (more users connected to the RDP server) select devices will be unable to connect.  Pings from the affected device will range from 100% loss to 0%.  The ping failure rate fluctuates.  Users may sometimes connect to the RDP server for a few minutes before being disconnected again.

This problem seems to last between 10 - 120 minutes.

I have taken packet captures at the ASA and see that both ICMP and RDP packets are arriving on the inside interface - the portable computer having the problem is transmitting correctly.

My problem is how do I ensure the ASA is encapsulating these packets and sending them out the Outside interface reliably.  I have taken packet captures on the outside interface but do not know of a way to match these encapsulated packets up to those originating from the problem computer.

I have reviewed: Show crypto ipsec sa

 #pkts encaps: 9228711, #pkts encrypt: 9228711, #pkts digest: 9228711

Open in new window

I've just bought a DrayTek Vigor2620Ln (ADSL/VDSL router/firewall with backup WAN port and 4G LTE modem built in - UK version)

I want to be able to create a site-to-site (or LAN to LAN in DrayTek's terminology) VPN via an IPSec tunnel to a Netgear ProSafe firewall I have running at another site. Simultaneously I want to be able to access a L2TP VPN Server running on Windows 2012 RRAS (behind the DrayTek at primary site), via passthrough when I'm out and about.

Having created the site-to-site VPN with a few issues along the way, I have got it working. I have also got the L2TP VPN passthrough working so I can connect from my Windows laptop when away from the main network. HOWEVER, it seems impossible to get both working at the same time. For the site-to-site to work, I have to tick the 'Enable IPSec VPN Service' under the Remote Access Control settings on the Draytek. But once I do this, passthrough of the L2TP Windows VPN fails. If I untick, it is the other way around with the Site-to-site failing and the L2TP passthrough working.

I suspect someone out there will confirm DrayTek routers simply cannot both have a site to site and L2TP passthrough connection connected simultaneously (I momentarily achieved it once, on initial bootup). I appreciate both VPN types use IPSec, however every single Netgear and Linksys router I've owned and used to date has been able to do both simultaneously with zero problems. I'm hopeful I'm missing something, but fear I'm not and the …
hi both on same asa firewall - remote access vpn already in place

can i also add site to site  vpn? thanks
Introduction to Web Design
LVL 19
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

I have 13 IPSec VPNs that are set up and working on a VMWare NSX Edge. The remote sites are all Sophos XG Firewalls. They used to connect to a Sophos firewall. In the earlier scenario, there was a VPN to VPN rule that joined all the Sophos IP Sec connections together in a hub and spoke network design. One could see devices between Atlanta to Orlando, for example.

Now I have them all connected successfully to the VMWare NSX Edge firewall. I have 2 rules for each location on the NSX.  For example, NSX to Atlanta and the reciprocal Atlanta to NSX.

I'd like for traffic to be seen from one location, like Atlanta, through the NSX Edge to Orlando.
On each Sophos connection to the Edge, I've added the remote networks I'd like to add to the Edge connection.  
In the previous all Sophos configuration, at the "hub" Sophos, a rule of VPN to VPN was in place to make this happen.
But I think I'm missing something on the NSX Edge to allow for Atlanta to "see" Orlando.

I have added reciprocal rules of Atlanta to Orlando and vice versa on the NSX but that is not working.
We have a VPN IP SEC between to ASA, the VPN works fine, but it loses connection a lot of times in a day, the underground network looks fine.

When we check log we find this message:
%ASA-session-7-710006: ESP request discarded from X TO Y
(you can check all the logs in the attached file)

Can you tell me what exactly this message means and how the problem can be fixed?
Hi Expert

good day

i having issue to export the IPSEC certifcation , i have try to follow the following steps;

# pk12util -o <certoutputname>.pfx -n <name of certifcate to be extracted> -d sql:/etc/ipsec.d
Enter password for PKCS12 file:
Re-enter password:

Question refer to the above, where can i find "<certoutputname.pfx>" and <name of certifcate to be extracted> ?

Many thanks
In a conversation in a get together last night, it was stated that if an outside person illegally connects to ones internet cable line (that is cut and attach to main line that connects to ones’  home), will be able to see everything one navigate to.  I understand that it doesn’t work like, by connecting to ones Wi-Fi they can spy on one, etc.   But the person said a bunch of tech words so I wanted to know what EE has to say.  Can a person by connecting to ones cable line have access to ones web access and see all?

Thank u.
I really dislike the json way to handle multiple public IPs on USG. The edgerouter has much more friendlier use with multiple IPs but the USG has more security features I'm into for my clients.  What is the best way to set up a ipsec site to site from outside to reach any of the USGPRO LAN# spaces when it sits behind another router (ER6P)

Site1 ---> ER6P (Internet) eth0 --- eth1 ----> USGPRO WAN --- LAN1
Site2 ---> ER6P (Internet) eth0 --- eth1 ----> USGPRO WAN --- LAN1

Currently right now I'm seeing the USGPRO WAN ( or when sourcing on either end of the tunnel instead of the real IP from their LAN#.  That not's good when needing to restrict IP's with multiple ipsec tunnels.
Dear Wizards, we are testing the VPN connection (L2TP/IPSec) from client Win10 PC to VPN Server (Synology). These are the settings:

we tried to connect but could not, can you help?
hi i am seeking help with connecting to ipsec vpn
my vpn was working until i upgraded my macbook to High Sierra 10.13.14
now when i try to VPN i get this error "An unexpected error occurred, Try reconnecting if the problem continues verify the setting and contact your administrator"
i checked the ppp.log and the last date was May 8th with an error IPSec connection failed <IKE Error 65535 ()xFFFF) Unknown error>

nothing really is showing up in system.log when i try to connect to vpn

i have other MacBooks in my environment and they can connect via VPN, i reset the PR RAM and tried testing in verbose mode but stll same result

any help would be great-fully appreciated
I have a Fortigate 80D firewall, with FortiOS version 6.2.0, lately upgraded. The user remote access was configured using IPsec VPN, and handled by Forticlient. In previous versions, it was working without any problem. But now, users can connect, but can no more access network resources.
The only thing that was performed, was enabling IPv4 Split Tunnel.
I wonder what i can do to re-establish a correct connection using FortiClient
Thanks for help
I have a simple setup... I have enabled the draytek L2TP with IPsec VPN which works fine.

I have a server on site which i access using \\IP-MAINSERVER
The issue is that when I am off site and I VPN in, I cant access the server using \\IP-MAINSERVER, I have to use the IP address.

Why is this?
Bootstrap 4: Exploring New Features
LVL 19
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

I would like to know your opinion on the following questions:
1)    What are the contras of the CVSS Scoring System, compared to many other systems?
2)    Where did you hit limits while working with CVSS Scoring System?
3)    What must be considered in which scenarios?

Thanks a lot for your feedback.
Hi Guys,

We have recently setup a 3 way VPN. one HQ and 2 Branches. 2 sites are configured with NBN and fibre 400. One site is with ADSL2+. IPsec VPN between NBN site and Fibre400 is working fine. But, the ADSL2+ site is showing that the VPN is configured and online but, not able to ping any IP either way. Any idea why?


In an ISR at a client, they have a Cisco ISR with a VPN tunnel to a business partner. What I'm wondering is why they might have two peers
in sequence number 10 and one peer (which also appears in sequence 10) in the second sequence number. The original setter upper is
long gone. Is SEQ 10 saying try to connect to but if you can't, connect to If that's the case, why would there
be a need for a SEQ 20 which then again references Any thoughts on what the original intent was are appreciated. I would
think you'd just want one peer in sequence 10 and then one peer in sequence 20. ?

crypto map ACMEDYNO 10 ipsec-isakmp
 set peer
 set peer
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-LA
crypto map ACMEDYNO 20 ipsec-isakmp
 set peer
 set transform-set ACMEDYNO
 set pfs group2
 match address CRYPTO-ACMEDYNO-DL


I have 2 cisco routers which I am having problems VPNing between.

RV340W, firmware
IPSec Profiles
keying mode auto
ike version 1

Phose 1
DH Group 2 - 1024 bit
Encryption 3DES
Auth SHA1
SA lifetime 28800

Phase 2
Protocol Selection ESP
Encryption 3DES
Auth SHA1
SA Lifetime 28800
PFS enabled
DH Group 2 - 1024 bit

Site to Site
IPSec Profile - points to above settings
int WAN1
Remote endpoint Static IP
remote IP entered

Remote IKE Auth Method
Pre-shared key, complexity disabled, 14 digit key enterd

Local Group Setup
Local Intendifier type - Local WAN  IP
Local ID - Local IP Address
Local IP Type - Subnet
IP address - *.*.*.0 (local subnet)
Subnet mask -

Remote Group Setup
Remote ID TYpe - Remote WAN IP
Remote ID - remote IP address
Remote IP Type - subnet
IP Address - *.*.*.0 (remote subnet IP)
subnet mask

2nd routers

Cisco RV180W

IKE Policy
Direction/type - both
exchange mode - main

ID Type - Local WAN IP

ID Type - Remote WAN IP

IKE SA Parameters
Encryption algorithm 3DES
Auth Algorithm SHA1
Auth method  Pre Shared key
Pre shared key entered
DH Group 2 1024 bit
SA Lifetime 28800
Dead Peer Detection enabled
det period 10
reconnect after 3

Extended auth

VPN Policy

Policy type - auto
remote endpoint - ip address
remote ip entered
NetBIOS enabled

Local Traffice selection
local ip subnet
start address - …
In an environment in which two Smoothwalls are deployed, they are connected through an IPSec tunnel and all ports are open.  One separate Windows domain are deployed behind each Smoothwall for a total of 2 Domains.  A Domain trust has been established between the two domains and they say they are functioning fine, but users can't log into their AD accounts if they are behind the Smoothwall of the second Domain.  Functioning level is Windows Server 2003 it says and these are Windows Server 2008 R2 Domain controllers.  Does this trust need to be reestablished and functioning level raised?
Relationship between OWIN and OATH?

How do they relate?


Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security