Collaborate Disseminate
We’re setting up some new tunnels and have been told to use IKEv2. I understand that IKEv2 allows different authentication methods, e.g. one side using PSK and the other using a certificate. We don’t have a PKI so it’ll have to be PSK for … Continue reading IKEv2 Using Different PSKs
I got access to a VPN via IPsec and IKEv2. The provider gave me a username, a shared secret and a server certificate. Since the certificate was self-signed, the manual came with specific instructions on how to install it.
Th… Continue reading How hard is it to retrieve IKEv2 Server Certificate from the server?
I have done windows machine authentication with Linux running free swan server. With default configuration i could see ping encrypted with ESP. But i want to test it with AH also. Is there any way in which i can configure Win… Continue reading Is there any way in which i can configure Windows IPSEC policy to use just AH mode and not ESP
I can’t seem to find a sufficiently detailed resource that describes the IKE phase 1 PSK identity authentication process. They seem to focus on differences between aggressive and main mode while oversimplifying them.
Looking here:
https://www.sonicwall.com/en-us/support/knowledge-base/180427163815045
It appears that our firewall supports DH group 25, and 26. Almost everywhere I’ve seen, they’ve recommended DH group 20-24 (We don’t have D… Continue reading Diffie-Hellman Group 25, and 26? [migrated]
I can’t find much information on PFS (Perfect Forward Secrecy) Groups so I’m unsure what to suggest for a secure IPSec configuration.
Any suggestions on PFS groups that aren’t recommended?
What is the implication for using… Continue reading Which PFS Group is recommended for IPSec configuration?
My guess is that with IPSec/IKEv1, since it doesn’t support NAT, you either have to manually configure routes from your machine, or use a layer 2 tunnel (such as l2tp) to talk with devices on the network you’re connecting to…. Continue reading Why doesn’t IKEv2 use L2TP?
I’m learning about IPSec at the moment. Unfortunately there’s a few roadblocks to my understanding:
I’ve made a lot of progress, but I’m sure I don’t understand some things completely since I can’t answer these questions:
If you can help me fill in the gap/s on why this is the case.
IPSec vs L2TP question 1 – in my opinion not answered: What’s are the advantages of L2TP/IPSEC over plain IPSEC?
IPSec vs L2TP question 2 – in my opinion not answered: why use L2TP/IPsec insted of just IPsec
NordVPN on the value of IKEv2 (touches on L2TP): https://nordvpn.com/blog/ikev2ipsec/
Cisco Next-Generation Encryption (NGE): https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html
Juniper docs on IPSec and IKE: https://www.juniper.net/documentation/en_US/junos/topics/concept/vpn-security-overview.html
Article on IPSec: https://cromwell-intl.com/networking/what-is-ipsec.html
Continue reading Understanding IPSec, L2TP, IKEv1, and IKEv2
The attack targets IKE’s handshake implementation used for IPsec-based VPN connections, opening the door for MiTM attacks or for bad actors to access data carried in VPN sessions. Continue reading Researchers Break IPsec VPN Connections with 20-Year-Old Protocol Flaw
As we all know, IKE will start with one peer as the initiator and the other as the responder. Each SA has a lifetime. Is there any situation that two peers start a request for a new SA (in this case, we have two initiators)? … Continue reading Internet Key Exchange (IKE) in IPsec