Discover Top Posts Tagged with #ipsec

Popular Recent

if anyone has set up a self-hosted virtual folded clos network (wireguard, vxlan, etc.) i'd be fascinated to hear how you did it. i'm trying to set one up for high availability and low maintenance but i keep running into things like wireguard not supporting multipath routing or vxlan needing port forwarding if one end is behind NAT.

i'm trying to achieve these goals:

redundant routing plane (so a VPS going down doesn't take down the whole network)

vanilla clients for mobile devices (i'm not a software dev)

clients include laptops, physical servers, phones, and containers/VMs behind a variety of NAT and firewall configurations out of my control

routers are VPSes, globally distributed

self-hosted

minimal configuration effort for new clients

wireguard doesn't enjoy anycast/multicast/redundancy very much. vxlan needs port forwarding apparently, although i haven't exhausted my search there yet. tailscale isn't self-hosted, and headscale has only experimental support for HA (and there's a bug in the tailscale iOS app that prevents working with headscale). ipsec and openvpn don't exactly have glowing reputations, but they're probably my next lines of investigation unless i can get something else working without manual firewall configuration.

#the silence of the fans #wireguard #vxlan #openvpn #ipsec #tailscale #headscale #networking #network topology #vpn #virtual private network

An IT networking furry asking to set up an IPsec tunnel with you is like the pinnacle of intimacy. She's letting you into her inner realm (home network and homelab), letting you use the most expensive things she owns (routers), and sharing with you a closely-guarded secret that's key to understanding the things she says (IKE pre-shared key)

#systemOne: Peach #it #networking #furry #furry it #furry technology #telecom #IPsec

#ww2 #IPSec

This is an example of a Static VTI configuration:

See above topology, same as last config ensure that both “sites” have internet connection to the ISP router.

Below is the configuration used, ensure both sides are configured correctly with the same configuration:

From Configuration Terminal

crypto isakmp policy 1 authentication pre-share encryption aes hash sha group 5 lifetime 1800 exit crypto isakmp key cisco add 0.0.0.0 crypto ipsec transform-set t-set esp-aes esp-sha-hmac mode tunnel exit crypto ipsec profile cisco set transform-set t-set exit interface tunnel 0 %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down ip add 192.168.1.2 255.255.255.0 tunnel mode ipsec ipv4 tunnel protection ipsec profile cisco exit %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON interface tunnel 0 ip ospf 10 area 0 exit router ospf 10 network 192.168.0.0 0.0.255.255 area 0 exit interface tunnel0 tunnel source fa0/0 tunnel destination 102.1.1.100 exit

%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up %OSPF-5-ADJCHG: Process 10, Nbr 102.1.1.100 on Tunnel0 from LOADING to FULL, Loading Done

To Confirm configuration

R1#show crypto ipsec sa

interface: Tunnel0 Crypto map tag: Tunnel0-head-0, local addr 101.1.1.100

protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 102.1.1.100 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 40, #pkts encrypt: 40, #pkts digest: 40 #pkts decaps: 39, #pkts decrypt: 39, #pkts verify: 39 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0

local crypto endpt.: 101.1.1.100, remote crypto endpt.: 102.1.1.100 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 0x33306896(858810518) PFS (Y/N): N, DH group: none

inbound esp sas: spi: 0x15FCFCCD(368901325) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: 1, sibling_flags 80000040, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4297365/3396) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x33306896(858810518) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: 2, sibling_flags 80000040, crypto map: Tunnel0-head-0 sa timing: remaining key lifetime (k/sec): (4297365/3396) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

R1#show crypto engine connections active Crypto Engine Connections

ID Type Algorithm Encrypt Decrypt LastSeqN IP-Address 1 IPsec AES+SHA 0 40 40 101.1.1.100 2 IPsec AES+SHA 41 0 0 101.1.1.100 1002 IKE SHA+AES 0 0 0 101.1.1.100

#cisco certifications #cisco ccna #cisco ccnp #vpn connection #VPN #Cisco #Static VTI #IPsec #network #security #cybersecurity

分散型台帳技術「ブロックチェーン」って何？【弓削/ネットビジョンアカデミー】

https://megacollc.com/index/juniper-srx380-supports-up-to-20gbps-firewall-and-4-4-gbps-ipsec-vpn-srx380-p-sys-jb-ac/

#juniper #srx380 #20gbps #4.4 gpbs #ipsec #vpn #cisco #amazon #biden #china #covid #elon musk #iran #catalyst #switch #russia #trump