Scribd Logo
Upload

Welcome to Scribd!

  • Windows XP and Vista IPSec VPN Policy

    Uploaded by

    doom212
    7 views15 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views15 pages

    Windows XP and Vista IPSec VPN Policy

    Uploaded by

    doom212

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Windows XP / Vista IPSec VPN policy

    Windows XP / Vista IPSec VPN policy configuration


    Index
    Preface ..................................................................................................................................................... 2 Building an IPSec policy ........................................................................................................................... 3 Creating Filter Lists .................................................................................................................................. 5 Defining Filter Action and negotiation security ...................................................................................... 7 Defining Authentication Methods ........................................................................................................... 9 Defining Tunnel Settings and Connection Type .................................................................................... 11 A short word about the other side of the tunnel .................................................................................. 13 Testing the VPN and looking at the log ................................................................................................. 14 Conclusion ............................................................................................................................................. 15

    Johan Engdahl 2007

    page 1

    Windows XP / Vista IPSec VPN policy


    Preface
    This document shows how to establish an IPSec VPN between a Windows XP computer exposed to the Internet and a Checkpoint Firewall-1 / VPN-1 NG AI R55 using Security Policy snap-in for MMC and utilizing the encryption features and hash algorithms of the XP IP-stack. The environment consists of two network segments like: Network A (AD_2003 Server) IP: Mask: Router: 192.168.1.0 255.255.255.0 192.168.1.254

    Network B (XP_IPSec_LABB Workstation) IP: Mask: Router: 172.16.32.9 255.255.255.252 172.16.32.10

    Johan Engdahl 2007

    page 2

    Windows XP / Vista IPSec VPN policy


    Building an IPSec policy
    Well be using the built-in Security Policy snap-in to set up the preferences for the VPN and configure the settings such as terminating IP addresses, bi-directional traffic, allowed protocols and ports, Pre-Shared keys and so on as will be explained further down the road. Start secpol.msc from the START/RUN facility. Right click IP Security Policies on Local Computer choosing Create IP Security Policy

    Select a suitable name for the policy and click Next

    Johan Engdahl 2007

    page 3

    Windows XP / Vista IPSec VPN policy

    Here youll deselect Activate the default response rule and click Next

    Now its time to define the IP filter lists (well be creating two of them. Theyll be exactly the same except from the terminating IP addresses) by choosing Add to get the New Rule Properties window.
    Johan Engdahl 2007 page 4

    Windows XP / Vista IPSec VPN policy


    Creating Filter Lists
    From within this window click Add

    In this example the first filter list will be called XP_to_Checkpoint_FW (the opposite will be called Checkpoint_FW_to_XP). Click Add to enter Filter Properties. Make sure to enter correct IP information depending on source respective destination addresses.

    Johan Engdahl 2007

    page 5

    Windows XP / Vista IPSec VPN policy


    Use default settings or change according to your needs. Well be using ANY here.

    Click OK until the window New Rule Properties is shown again and create a new Filter List for the opposite direction.

    Remember to get the IP information correct.


    Johan Engdahl 2007 page 6

    Windows XP / Vista IPSec VPN policy


    Defining Filter Action and negotiation security
    Next step is to define the Filter Action and negotiation security.

    Choose Require Security and click Edit.

    Johan Engdahl 2007

    page 7

    Windows XP / Vista IPSec VPN policy


    Be sure to enable Session key perfect forward secrecy (PFS). Here you may also change the preset security methods or define your own ones.

    Click OK twice and enter the Authentication Methods tab

    Johan Engdahl 2007

    page 8

    Windows XP / Vista IPSec VPN policy


    Defining Authentication Methods
    Naturally, the Authentication method is preset to Kerberos, but well be using PreShared key.

    Highlight Kerberos and click Edit and define Use this string (preshared key) and enter appropriate string to use (remember that this string much match between the terminating endpoints).

    Johan Engdahl 2007

    page 9

    Windows XP / Vista IPSec VPN policy


    Click OK and notice the method being changed.

    Johan Engdahl 2007

    page 10

    Windows XP / Vista IPSec VPN policy


    Defining Tunnel Settings and Connection Type
    The last two remaining things to define is the terminating tunnel endpoint this Filter Rule will use and that should be the IP address of the remote gateway and define how the Filter Rule should apply.

    Johan Engdahl 2007

    page 11

    Windows XP / Vista IPSec VPN policy


    When this is done then yet another Filter Rule must be created defining the opposite side. Remember to use exactly the same settings except the IP address of the terminating tunnel endpoint which in this case will be the Windows XP client. Now make sure to click OK all the way back to Local Security Settings window. Right click the new policy and choose Assign to enable the new policy.

    Johan Engdahl 2007

    page 12

    Windows XP / Vista IPSec VPN policy


    A short word about the other side of the tunnel
    As this document will not cover basic VPN setup Ill only show the settings I used to get this show on the road.

    Johan Engdahl 2007

    page 13

    Windows XP / Vista IPSec VPN policy


    Testing the VPN and looking at the log
    Pinging from the Windows XP machine to the 2003 AD server on the other side brings the IP Security Policy up and starts the negotiation with the remote gateway.

    The logviewer (Smartview Tracker) shows us whats happening.

    Johan Engdahl 2007

    page 14

    Windows XP / Vista IPSec VPN policy

    Conclusion
    All I can say is that Im extremely pleased with the functionality. Although the screenshots above are taken from Windows XP, I can assure you that this works just as fine with Windows Vista. The IP-Stack in Windows XP and improved IP-Stack in Windows Vista makes it smooth to have several policies on the workstation where the different vendor VPN clients used to interfere with each other or making it completely impossible to combine certain clients at all.

    Johan Engdahl 2007

    page 15

    You might also like