Questions tagged [ipsec]
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session.
222 questions
1
vote
0
answers
41
views
I don't understand ipsec [closed]
Can you explain what is Child SA? Is this exchange used only for rekey IKEv2 OR ESP or this exchange is used for rekey IKE SA AND Child SA at the same time?
What is IKE SA? Is it a set of params (...
- 11
1
vote
1
answer
119
views
Why does IPsec has a "partial" replay protection? If we drop all packets outside the moving window, then where is the threat?
IPsec is said to have "partial" replay protection because if a packet arrives outside the window, we can't track it, so we have to make a choice: do we risk and accept it, or do we drop it?
...
- 197
0
votes
1
answer
59
views
Is there a difference between data origin authentication and sender authentication?
Here the author writes "sender authentication". Does he mean data origin authentication? Or is sender authentication something different?
Wikipedia says that "data origin authentication ...
- 197
2
votes
0
answers
91
views
Why is IPsec transport mode "vulnerable" for not having integrity of variable fields? Why is this so important?
With IPsec transport mode we CAN'T have integrity of variable fields (eg TTL and checksum).
Why is it a problem? Is it? What could be the attack?
I think TTL expire or checksum modification (so both ...
- 197
0
votes
0
answers
52
views
What attacks can be performed by changing header of IP packet if I apply only ESPv2 of IPsec(so not providing intergrity for the IP header)
For ESPv2 I'm referring to this: https://datatracker.ietf.org/doc/html/rfc2406 so the version which supports of course confidentiality, but also authentication ONLY FOR THE PAYLOAD, NOT of the IP ...
- 197
0
votes
1
answer
61
views
IPSec in tunnel model with AH&ESP: position of original IP header?
I am studying IPSec in tunnel mode when first applying ESP and then AH and am wondering about the position of the original IP header. I see two options:
IP header (crypto), AH header, ESP header, IP ...
- 3
0
votes
0
answers
90
views
Why does IPsec use tunnel-mode for an external laptop? Could transport-mode be used? Why can't a gateway control access in transport-mode?
In an IPsec Secure gateway setup, why is tunnel-mode used when an external laptop wants to access an internal service protected by a firewall? Is tunnel-mode necessary or could transport-mode be used ...
- 137
1
vote
1
answer
165
views
What if in IPsec I have confidentiality BUT NOT integrity? What are the dangers?
ESP in IPsec v2 only provides integrity of the payload, not of the header. So my question is about that. The possible dangers in not having integrity of header, while having ESP active for payload.
...
- 137
0
votes
1
answer
302
views
Since IPSec works on Layer 3 (Network), does that mean it also provides protection for all the higher layers?
From my understanding, data moves from OSI Layer 7 down to Layer 1 when its being prepared to get sent. On each layer, data gets encapsulated within the data of the layer below it. Ex: A Layer 3 IP ...
1
vote
1
answer
174
views
Do IKEv2 ESP proposals really require a unquie SPI per proposal?
When one peer is trying to negotiate an ESP SA, it sends a security association (SA) payload to the other peer. This SA payload must contain at least one proposal, suggesting at least one encryption ...
- 653
0
votes
0
answers
582
views
In IPSec, what block cipher mode of operation is "AES-256"?
Multiple IPSec implementations I've run across support "AES-256" as an encryption algorithm. (pfSense has this, Checkpoint has this.)
What block cipher mode of operation is this?
- 1,096
0
votes
1
answer
813
views
Where should private key(s) reside in IPsec VPN tunnel
I setup an IKE VPN server for road warriors. I actually have this working (YAY!) but took some shortcuts that are leaving me with a working yet not-right/secure setup. My setup is as follows:
My ...
- 189
0
votes
1
answer
177
views
Trying to understand transport-mode IPSec and VPNs
Disclaimer: My understanding of the types of VPNs and IPSec is limited.
What I am struggling to understand is the fact that the IP header is not encrypted in transport-mode IPSec.
My understanding of ...
- 103
1
vote
1
answer
239
views
What is the role of a CA server in a PKI?
I'm confused how the CA server helps with the digital signature and the PKI workflow. Here's an example topology:
A and B are the 2 devices using PKI to authenticate each other for VPN, and then there ...
- 133
0
votes
1
answer
291
views
What's the significance of including port number in IPsec ESP mode?
In the AH mode for IPsec, we include the IP header to ensure data origin authentication, and in the ESP, we exclude the IP header.
what are the security properties we lose by not authenticating the ...
- 81
1
vote
0
answers
205
views
IPSec MTU DDos attack
I have this configuration:
HOST-A <---> GAT-A <---> MiTM <---> GAT-B <---> HOST-B
I'm doing a security project on MTU-IPsec vulnerabilities and following this guide of Hal-...
- 23
0
votes
1
answer
551
views
Should users have access to the IPsec pre-shared key?
We are in the process of switching from Hamachi to Meraki VPN by Cisco. Hamachi was managed internally, but this new VPN solution is managed by an external party and they have set it up as L2TP/IPsec ...
- 121
1
vote
1
answer
715
views
Is IPsec VPN still necessary when already using HTTPS protocol? [duplicate]
There are 2 sets of API each hosted in 2 different organisations: my client's organisation and her partner's organisation. The servers from the 2 organisations communicate between each other through ...
- 367
1
vote
1
answer
208
views
ikev2 handshake : 4 or 8 packets? [closed]
I open wireshark to inspect the ikev2 handhsake and noticed it is 8 packets instead of 4. Two groups of 4 packets, one originating from the first peer and the other from the second peer. Is it normal ?...
- 29
2
votes
1
answer
623
views
Why does IKE have two phases?
Why does have IKE have two phases, two levels of security associations, two sets of authentication and encryption algorithms, two sets of options around lifetimes and renogiations?
It seems ...
- 1,020
26
votes
1
answer
5k
views
How credible are the rumors that the NSA has compromised IPSec? [closed]
Part of the Snowden revelations was that the NSA had targeted IPSec.
But I'm having trouble separating FUD from legitimate issues.
How credible is this? Are there ways to use IPSec to be confident ...
- 1,020
0
votes
0
answers
161
views
Can I use IPSec for anonymous browsing (like in commercial proxies)?
In class, we learned how to set up a VPN between two remote sites using IPSec in tunnel mode. I have a VPS for hosting my website (with root access), but if I set up a tunnel between my PC and the VPS,...
- 29
0
votes
2
answers
414
views
What does it mean that Ikev1 (IPSec) protects peer identities in main mode?
Does it mean that the source IP is replaced with something else (like if in IP spoofing) so intermediate routers don't know who is sending the packet?
- 29
2
votes
2
answers
2k
views
Certificates(CA certificate and EE/Local certiificate)
There is a small confusion related to CA certificate and Local certificate. I had asked a similar question before. This time, its a little specific.
For authentication using PKI, below are the steps.
-...
- 133
1
vote
1
answer
3k
views
Windows 10 IPSec VPN not respecting configured parameters (notably: encryption method)
I am currently trying to establish a VPN connection from my Windows 10 Enterprise 1909 to a remote VPN gateway, using the built-in Windows VPN / IPSec client. Since the UI does not provide all options ...
- 599
1
vote
1
answer
5k
views
Why do IPSec VPN Phases have a lifetime?
I was working on a bug with our VPN, and read about VPN Phases 1 and 2, each of which have a lifetime in seconds. I was investigating to validate if these had anything to do with the bug we had and ...
- 13
7
votes
2
answers
16k
views
Performance comparison between AES256 GCM vs AES 256 SHA 256
I understand GCM Crypto uses ESP Encryption only for ESP and Authentication algorithm.
whereas AES 256 SHA256 uses AES for ESP Encrypt and SHA256 for Auth algorithm.
Could someone help clarify the ...
- 71
0
votes
2
answers
1k
views
What is the real risk of clicking a link? [closed]
If I were to click a link on any of my devices, be it over text message, email, or from a webpage, and enter no information/actions with the target page. What is the worst that could happen?
- 11
2
votes
1
answer
465
views
How does IKEv2 work on Android without raw sockets
I was exploring the IKEv2 StrongSwan client implementation for Android. What I fail to understand is that Android and Java do not support raw sockets, whilst the IKEv2/IPSec works below the transport ...
0
votes
1
answer
343
views
Is PFS recommended by the NCSC in the PRIME profile for IPsec
Guidance on the PRIME profile for IPsec (https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data) does not explicitly mention the use of PFS.
Is there a recommendation for its use in the Prime ...
- 131
0
votes
1
answer
663
views
StrongSwan, IPsec remote certs and cert_policy
I'm looking for a way to limit the certs that my IPsec can accept. I'm using StrongSwan (swanctl version 5.7), I want to accept only certs coming from a remote with a name of yoji.*.example.com
I ...
- 1
0
votes
1
answer
847
views
CA certificate and Local certificate
There is something which is bothering me when i think about the CA cert and Local cert.
Below are my queries which pertains to juniper but may be generic as well.
1) "request security pki ca-...
- 133
0
votes
1
answer
135
views
What are the changes in PKI when i move from TLS protocol to IPSec Protocol?
Currently i am using TLS protocol for a secure communication between my server and client. I use PKI for key/certificate Management. If i want to switch to IPsec for secure communication, how will the ...
-3
votes
1
answer
2k
views
Which VPN offers more security conceptually, SSL VPN or L2TP/IPSEC?
Aside from possible implementation bugs, which VPN concept aims to offer more protection by design?
SSL VPN (implementation example - OpenVPN)
L2TP/IPSEC (implementation example - Strong Swan)
After ...
- 137
2
votes
1
answer
434
views
IKEv2 Using Different PSKs
We're setting up some new tunnels and have been told to use IKEv2. I understand that IKEv2 allows different authentication methods, e.g. one side using PSK and the other using a certificate. We don't ...
- 21
0
votes
1
answer
829
views
authby=secret serve as alternative to AH in ipsec.conf
I have employed strongSwan U5.5.1 for installing an IPsec tunnel between two Debian hosts with a firewall in between. My ipsec.conf specifies authby=secret but not ah=. The firewall currently permits ...
- 213
1
vote
0
answers
44
views
Could IPSec flows be decrypted using PSK [duplicate]
I created an IPSec tunnel between two VMs using StrongSwan. It relies on a Pre-Shared Key. I wonder, if this key is leaked, what could an attacker perform?
Would he/she be able to decrypt previous ...
- 671
2
votes
1
answer
301
views
IPsec installed algorithms
What happens if a laptop and a server don't have a encryption algorithm in common?
Does IPSec abort the connection or does it always have default algorithms?
- 21
1
vote
1
answer
1k
views
Ipsec: Is it possible to use both pre-shared keys and pubkeys auth methods at the same time?
So if we have a server configuration with local auth pubkeys and remove psk and at the same time for a client(initiator) a local auth psk and remote pubkey.
Something like this.
Server -
local {
...
0
votes
0
answers
191
views
IP Encryptor and Firewall
Firewalls implement IPsec VPN and perform packet filtering. IP Encryptor, on the other hand implements IPsec VPN and achieve security goals (confidentiality, integrity and authentication).
What are ...
- 111
2
votes
2
answers
200
views
TCP Traffic, SSL or extra Tunnel
I have a situation where we (as a SaaS vendor) are migrating one of our clients away from their local premise to our public SaaS.
However as a security concern they want to route all their TCP ...
- 23
1
vote
1
answer
589
views
Is a security association (SA) implemented in ESP and AH protocols?
I'm reading about security associations. I've understood that a SA is a virtual connection between a client and a sever, in which all the security parameters, such as encryption algorithm, IP origin ...
- 113
1
vote
1
answer
2k
views
How hard is it to retrieve IKEv2 Server Certificate from the server?
I got access to a VPN via IPsec and IKEv2. The provider gave me a username, a shared secret and a server certificate. Since the certificate was self-signed, the manual came with specific instructions ...
- 115
0
votes
0
answers
301
views
IPSec Sniff Traffic
I'm wondering if it is possible to Sniff IPSec connections.
At the beginning of a connection, the two peers agree on a SA and exchange a PSK or Certificates.
What I'm thinking about, is to ...
- 191
1
vote
2
answers
179
views
Where would I go to use a reliably secure encrypted internet connection?
Lately, I’ve been paying $100 a month for Fios. I’m thinking of canceling this service because I rarely use my internet at home, since I’m at school most of the time and my college offers internet (...
- 33
2
votes
2
answers
1k
views
Maximum number of certificates generated by a CA
What is the maximum number of certificates that can be generated from a CA?
The use case is a VPN using certificate authentication and I would like to know what is the theoretical number of unique ...
- 43
0
votes
1
answer
380
views
IKE Phase 1 /w PSK resource?
I can't seem to find a sufficiently detailed resource that describes the IKE phase 1 PSK identity authentication process. They seem to focus on differences between aggressive and main mode while ...
- 43
0
votes
1
answer
163
views
IPsec down with unusual SNMP traffic [closed]
Time to time IPSec tunnel status become down, with unusual SNMP Traffic. when I disable and enable port manually, it become normal.
I am using 200E fortigate firewall.
Have you any idea or previous ...
- 655
2
votes
1
answer
368
views
IPsec with PSK: Can PSK be used for passive eavesdroping?
I use a PSK to connect to an IPsec VPN.
Let's say an attacker can gain access to my PSK.
He can then impersonate me, that much is clear.
But would she also be able to decrypt intercepted traffic? ...
- 1,121
4
votes
2
answers
336
views
IPSEC connection attempt to rogue server -- is my PSK compromised?
I am setting up an IPSec connection between two sites using Ubiquiti EdgeOS-based equipment. Using a DDNS service (a static IP is unavailable from the ISP), they can be found at east.example.net and ...
- 415