Questions tagged [ipsec]
IPsec (Internet Protocol Security) is a protocol for securing IP communications by authenticating and encrypting each IP packet of a communication session.
1,037
questions
0
votes
0
answers
7
views
Built-in IKEv2 and PSK on Windows Server
I tried to use on Windows Server 2019, then built-in VPN Type IKEv2 + PSK
So:
Fill the PSK in "Allow custom IPsec policy for L2TP/IKEv2 connection" (rrasmgmt.msc)
Firewall ports are opened ...
0
votes
0
answers
49
views
How do I apply src-nat to the traffic coming from ipsec?
I am using StrongSwan to Mikrotik IKEv2 tunnel. I wonder if it is possible to sourcenat what is comming from the ipsec-tunnel on Mikrotik's side?
The problem is that I have a host in my local network ...
0
votes
0
answers
21
views
Can I set up IPsec tunnels between three branches?
I want to set up IPsec tunnels to connect three branches. In total, you should get three connections:
HQ-BR
BR-DC
DC-HQ
I wanted to do this on the Linux operating system using strongswan tools, but ...
0
votes
1
answer
51
views
Strongswan ipsec w/o LAN interface: Tunnel up, but no routing
I need some help in setting up an ipsec site2site-vpn with Strongswan.
The other side insists on a site2site vpn, but on my side I have only a KVM hosted server with a public internet IP interface, so ...
0
votes
0
answers
32
views
IPSEC not started on pinging another host
I have configured IPSec on my linux client using strongswan, on both remote_addrs and local_addrs, I have used %any.
When I start the charon-systemd daemon and then use swanctl --load-all, the out ...
0
votes
0
answers
39
views
IPSEC configuration and usage on networks with overlapping network addresses
I use a different SSL VPN client to connect to remote customers. I would prefer to connect directly to remote devices in ssh and/or monitor the same ones via SNMP.
The problem is that although each ...
1
vote
0
answers
19
views
Site-To-Site IPSec between StrongSwan and zyxel usg100
We bought USG flex 100 into our office and we added it to the nebula.
Now, we need to setup site-to-site tunnel into our datacenter. On nebula site we have network 10.5.1.0/24 and in datacenter we ...
0
votes
1
answer
73
views
Firewall InBound rules for UDP 500 under windows server
With the Windows server firewall, I cannot find the in-bound rule to open/block UDP 500 port ? (I want to handle IKEv2)
I can get the rules for SSTP, L2TP, PPTP, but not for IpSec !?
Thanks
0
votes
1
answer
312
views
Resolve failing for %any in strongswan ipsec
I was configuring ipsec between 2 linux boxes.
Since ip of our product can be different when connected to different spaces. I used %any for right.
Since then, I am not able to up my ipsec transport ...
0
votes
0
answers
41
views
How can I set separate phase 1 and phase 2 IPs using AWS Managed IPSec offerring?
I'm trying to setup an AWS Site-to-Site VPN connection that is IPSec based. It seems to be their managed offering. A particular connection I am trying to setup specifies distinct Phase 1 and Phase 2 ...
0
votes
0
answers
16
views
Accessing adjacent remote network from existing network tunnel in pfsense ipsec
We have two offices, A and B, with IP segment 192.168.10.0/24 and 192.168.20.0/24 respectively, connected to each other using IPsec tunnel mode.
Additionally, office B has an IPsec tunnel mode ...
0
votes
1
answer
259
views
Unable to ping other subnet through IPSEC tunnel
I'm configuring an S2S IPSEC VPN tunnel between two Fortigate firewalls.
The tunnel is up and running. Network topology:
When I ping from the LAN interface, which is directly connected to the ...
0
votes
2
answers
119
views
Routing with ipsec tunnel
We are trying to determine how to route traffic from our office 1 worker subnet through the office 1 server subnet over the IPSec tunnel to our office 2 server subnet.
We want the office 2 worker ...
3
votes
0
answers
100
views
Spread IPsec decryption over multiple CPUs
All IPsec traffic being decrypted is processed on a single CPU, despite having multiple IPsec tunnels (SAs.) How can I get the load shared across multiple CPUs?
I'm running Strongswan IPsec on Ubuntu ...
1
vote
1
answer
123
views
Strongswan IPsec site-to-site on Gcloud
I am trying to initialise an IPsec tunnel between an Ubuntu VM on Google Cloud and a remote site.
The connection is correctly established but from the Ubuntu machine on Google Cloud I cannot reach a ...
0
votes
0
answers
142
views
Change IPSec IKEV2 VPN Default Ports 500 & 4500 To Anothers
For some reason OpenVPN is working on my local machine very well, But IPSec IKEV2 VPN not & it only works when OpenVPN is connect.
I have a domain for IPSec IKEV2 VPN & in local machine vpn is ...
0
votes
0
answers
163
views
Windows 11 RDP over IPSEC issue
We manage a limited number of servers (running different versions of Windows Server) by a limited number of remote clients (running Windows 10) using RDP connections over IPSec (in "transport ...
0
votes
0
answers
30
views
The IPSec connection has been successfully established. I can only ping the remote endpoint, but cannot ping the entire subnet
server A:
enter image description here
config setup
charondebug="all"
uniqueids=yes
conn home-to-aliyun
ikelifetime=36000s
keylife=8h
rekeymargin=3m
...
0
votes
1
answer
153
views
IPsec tunnel gets connected, Phase 2 is successful but no IP adapter is created thus tunnel does not work
I am trying to establish an IPsec tunnel between my virtual server and a customer's server. The IPsec tunnel gets established successfuly in Phase 2, but no IP gets added to my system.
This is the ...
-1
votes
1
answer
275
views
Draytek VPN stuck on Authentica IKEv2 EAP
I've set up the following configurations on my draytek vigor 2926:
IPsec general setup
and the remote dial-in user:
remote dial-in user
I get the following error: unknown error
Status in Smartclient: ...
0
votes
0
answers
32
views
How Can I Update Encryption and Deffie Hellman Groups for VPN in GCP?
So, I've got a VPN set up at the moment that's connected to the client's VPN and it's all good. Now, the client wants to tweak the encryption method to AES256 and Deffie Hellman groups to 19.
Is it ...
0
votes
0
answers
416
views
AWS StrongSwan IPSec Tunnel with Cisco fails during Phase 2 with TS_UNACCEPTABLE
I need to to setup a site-to-site IPSec tunnel with a vendor whom We need to access each other's API servers seating on the LANs using their respective Public IPs. We're using AWS, And I have ...
0
votes
0
answers
88
views
sometimes, vpn connection doesn't work on ipsec(strongswan) configuration
I'm using ipsec with strongswan between aws and on-premise
here is strongswan configuration
config setup
uniqueids = no
charondebug="ike 1, knl 1, cfg 0"
conn %default
ikelifetime=...
0
votes
1
answer
157
views
Android .sswan profile to ipsec.conf
I have a .sswan profile with an embedded cert and username/password from a server admin. It connects to a Watchguard VPN without any issues. I was told by the server admin I can connect with my ubuntu ...
0
votes
1
answer
189
views
How to set up an IPSec VPN with failover on linux without virtual IP?
I need to set up a VPN connection using IPsec between a client system and our Linux server. There shall be a fallback in case of failure of the VPN endpoint, i.e. some sort of automatic failover.
From ...
0
votes
0
answers
203
views
Strongswan site to site with fortigate issue seems some thing about phase 2
Hello all, sorry to bother you guys, i already spend 3 days on it,
still can not make it work, Could you take a look? Thank you in
advance <3.
fortigate info:
Public ip: 41.223.XX.XX
Internal ...
2
votes
1
answer
162
views
what is the proposal string for aes-gem256 deffie helman group 20, esp
As a developer tasked with connecting to a vpn without preconfigured profile scripts, i'm fumbling through setting up a strongswan ipsec.conf file. My current hurdle is an "invalid proposal ...
1
vote
0
answers
375
views
AWS Site-to-Site VPN logging not working
Anyone encountered a problem where logging to CloudWatch for Site-To-Site VPN isn't working even though logging is enabled?
The only log file that is created is one with the title "...
1
vote
0
answers
449
views
Dynamic traffic routing via multiple GRE over IPsec tunnels
Initial data
I am learning networking based things and strongSwan proper configuration.
Using my own wildcard ssl certificate.
All tunnels are successfully lifted and authorized among themselves, ...
0
votes
0
answers
424
views
IPSec VPN Windows 10 Client Not Working - SOLVED
After 3 days of banging my head against the keyboard, I finally came up with a solution that allows my Windows 10 Professional built-in VPN client to connect to my Linux IPSec VPN server using EAP and ...
0
votes
0
answers
470
views
Error in IKE phase 1 when trying create IPSeC tunnel with Juniper SRX 300
Less than month ago we had to replace our old SRX 210 HE device with a new SRX 300 because the old device started to become unreliable. We had two IPSeC tunnels to two different places both working ...
-3
votes
1
answer
372
views
How to connect to a IPsec VPN with WireGuard client?
is it possible at all, because I know that you can't do this with openconnect?
I have:
gateway ip
preshared key
login
password
empty ipsec id (group)
0
votes
0
answers
46
views
Best approach for deploying code to servers behind a gateway
I am attempting to adjust my deployment scripts to access a server behind a newly established gateway that I've configured. The gateway currently is accepting traffic from the internet correctly and ...
0
votes
0
answers
584
views
Why does this traffic selector not match?
(Note: I'm really using pfSense, but I'm just going to focus on the ipsec.conf files, since pfSense doesn't seem particularly relevant to the issue.)
We're getting the following error from charon:
Aug ...
0
votes
0
answers
42
views
Wireguard aside IPSec site to site
I have the following scenario: Connecting to a server (A) through another server (B). My connection to B is via ssh normally. The connection between B and A is through ssh, but via VPN with Wireguard.
...
2
votes
1
answer
195
views
IPsec connection established but client not able to reach host until host pings the client
I am trying to establish IPsec connection between two linux machines residing in the same VPC but in different subnets.
On both machine I have following configuration:
Host machine:
conn hostConn
...
0
votes
1
answer
779
views
Strongswan ike phase 1 failed: "IKE_SA being deleted"
I'm trying to build IPsec tunnel between my Strongswan cloud instance to the Cisco CSR 1000V which is from ISP.
According to the form given to me, I have to configure with the following factors in ...
0
votes
1
answer
754
views
ipsec/strongswan - tunnel is up, traffic is sent and received but replies are ignored
I need some help, I set up a strongswan IPsec tunnel with ESP and IKEv2, the tunnel is UP and remote sees packets coming and answers them, but my server is ignoring? answers.
The tunnel is between my ...
0
votes
1
answer
1k
views
site to site(IpSec) between AWS and Cisco is not working
I am trying to set up a site-to-site VPN connection between AWS and Cisco ASA, but the tunnel status is shown as "Down," and under the details section, the message is "IPSEC IS DOWN.&...
0
votes
1
answer
223
views
How to investigate not received TCP packets sent from VPN on the same LAN?
I'm setting up a VLAN on the cloud where many servers will connect to a remote host via VPN. The setup is as follows:
Their Host d.d.d.72
|
|
...
0
votes
0
answers
196
views
Strongswan IPSEC specific rightsubnet
I have strongswan ipsec setup installed in ubuntu OS. I have static public ip 103.x.x.x and vpn clients subnet 10.100.100.2/24. I have 2 clients with ubuntu OS. I was able to ping client 1 to client 2 ...
0
votes
0
answers
479
views
Ubuntu - IPSec VPN with Dual Stack / Strongswan
I'am trying to setup a IPSec VPN (ike1) for our Linux clients. But we need dual stack with ipv4 and ipv6.
The endpoint is a Fortigate firewall. With two phase2, one for IPv4 and one for IPv6. The ...
0
votes
1
answer
273
views
Incoming IPSec traffic on Linux host is not processed via the VTI tunnel using XFRM rules
I have the following setup:
Remote IPSec VPN gateway: 81.x.x.x
Local machine address: 172.22.1.156
VPN-assigned IP: 10.0.30.97
VTI tunnel interface:
vti0: ip/ip remote 81.x.x.x local 172.22.1.156 ttl ...
0
votes
0
answers
597
views
Windows 11 IKEv2 fails to connect, error code 1931 eventID 20227
I have Mikrotik configured for accepting IPSec connections with server certificate and RADIUS auth, SHA1 and so on enabled on Mikrotik side for Windows compatibility.
It also configured for L2TP/IPSec,...
0
votes
1
answer
463
views
Howto get server host into strongswans virtual IP address subnet
I have configured a VPN server and VPN client with strongswan with the following ipsec.conf configuration settings
Server ipsec.conf
conn ikev2-vpn
also=rw-base
auto=add
compress=no
...
0
votes
1
answer
149
views
strongwan disable user access
Hwo can I disable access for a particular user with strongswan public key authentication?
So I have pub key authentication working. the SAN is the email and is the id. Is there a way to reject ...
1
vote
0
answers
302
views
strongswan site to host example?
There are a million site-to-site and host-to-host examples. I can't seem to find a single site-to-host example. I am looking for the most basic possible example with no certificates at all, that just ...
1
vote
1
answer
897
views
My Win 11 Pro VPN client for IKEv2 is perpetually broken
I am tearing my hair out over this sudden refusal of Windows 11 Pro on my PC to use the appropriately configured crypto in IKEv2 negotiation. It worked fine for a long time, until it didn't. This ...
1
vote
1
answer
1k
views
Not getting StrongSwan IPsec to run: received netlink error: Network is unreachable / unable to install source route for [...]. Getting nuts already
I am trying to set up an ipsec tunnel with strongswan, used some tutorials for that and all went so far but there is no actually communication going trough the tunnel. The tunnel is established, but ...
0
votes
1
answer
3k
views
Windows 11 L2TP and IPSEC: Where to set the IpSec group
First of all:
I know : L2TP and IPSEC from Windows XP: Where do I put the IPSEC group name? exists, but the answer is incorrect and is not working on Windows 11 (please do not duplicate this topic by ...