IPSEC Between two PCs in Win2K

[EugeneN]

Hi,

For IPSEC testing purposes I am trying to setup an IPSEC
chanel between two PCs with Win2K Prof (workstations). I
am strictly following the porocedure outlined in the MS
Article "Step-by-Step Guide to Internet Protocol Security
(IPSec)"
(www.microsoft.com/windows2000/techinfo/planning/security/i
psecsteps.asp).

All steps are giving me the expected results on both
computer except the one when I am trying to "ping" the
another computer's IP Address. First time I ping, I am
getting the expected results of "Negotiating IP Security."
message. But then regardless of the number of time I ping,
I am still getting the same "Negotiating IP Security."
messages, and no ping echo reply.

I repeated the procedure multiple times from scratch with
the same outcome. I verified that IPSEC Policy Agent is
running on both PCs. I hooked up the network sniffer and
made sure that ISAKMP messages are being exchanged between
two PCs. But still no further IPSEC packets can be seen.

Is there anybody who would do that successfuly ? Are there
any "gotchas" I should be aware of when setting the IPSEC
between two PCs ?

Thanks,

Eugene.

 

[Steven L Umbach]

Make sure that you are using the same pre shared keys for authentication and
that your policy allows ICMP. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257225

 

[Guest]

Make sure that you are using
the same pre shared keys for authentication and
that your policy allows ICMP.

I just followed the steps in the article: one of the steps
required me to enter the "123456789" as a pre-shared key
on both PCs. Another step required me to choose "All IP
Traffic" as an IP Filter. That's what I've done for both
of these steps. As I said, I have repeated all steps in
article several times with the same negative result.

Thanks for your reply.

Eugene.

 

[Steven L Umbach]

I assume you did that on both computers. I have found ping a somewhat
unreliable method at times of proving ipsec connectivity as it seems that
ping may time out before SA is established. I would double check that ipsec
policy is indeed assigned to each computer. You could try somehing like
accessing a share and transfering a file and then using ipsecmon to see if
ipsec encryption is being used. Netdiag is helpful in determining what ipsec
policy if any is assigned to a computer. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q321708
http://www.brienposey.com/kb/monitoring_secured_communications_through_ipsecmon.asp

 

[Guest]

Yes, I have done exactly the same configuration steps on
both PCs as suggested by article.

I tried what you suggested, strange thing though:

netdiag /test:ipsec /debug

shows me that two SAs do exist on each of two of my PCs
(the number of NICs on my PC, one IP addr per NIC). At the
same time, IPSec Monitor does not show me even single SA
(I have set the refresh time to 1 sec). I would expect
these two tools to show two IPSEC SAs on each PC.

If I hook the netwrk sniffer, I can see the ISAKMP
exchange happenning, but not any furher IPSEC packets. I
tried both "ping" and just connect to "share" on the 2nd
PC. No success. I guess, it's some sort of configuration
problem, but WHAT is it ? Anything else you can think of ?

Thanks,

Eugene.

 

[Steven L Umbach]

Hmm. Make sure there are no personal firewalls or other packet filtering between the
two computers that may interfere. I would try to use the built in server (request
security) policy to see if you can get that to work between the two computers instead
of a custom rule at first. You could modify that built in rule by unchecking the all
ICMP rule and then for the all IP and <dynamic> rule, just change the authentication
to a preshared key and delete kerberos. After that assign that rule on both
computers and since each computer is requesting ipsec negotiation, it should encrypt
traffic. You can always restore the three built in rules to default so you do not
have to worry about messing them up during the testing process. --- Steve