ipsec main vs. quick mode? Authorization: <none> ?

W

william

Group: microsoft . public . windowsxp . security_admin

I have a couple of computers with 802.11b wireless cards.
I gather that without an access point, all cards broadcast
the SSID all the time?

I tried to set up IPSec, using the appropriate group policy
settings.

1) What is the default rule for? If I manually set IPSec on each
computer involved, do I need to use the default rule?

2) When the two computers connect -- and there is pause for them
to connect, presumably setting up the encrypted channel -- I do see
an SA (Security Association). However, I don't understand what Quick
Mode and Main Mode are, in the ipsec monitor. Do those correspond to
the key exchange phase and the, um, I forget, next phase, in the ipsec
documentation?

In the QuickMode SA, I see SAs which say <none> for Authorization, and
this concerns me; does that mean the computers didn't actually authorize?
Authorization is something I want them to do. I'm using shared secrets,
as that seems an easy way to get this set up, and for only two computers,
it is not much burden to keep them synchronized.

(The computers involved use XP; so I'm using the mmc snapins to
set the ipsec policy and to monitor active SAs -- I assume they are
the only way to do so.)
 
S

Steven Umbach

Main mode is "phase one" and is not port protocol specific like quick mode which
is "phase two". If the computers don't authenticate with each other then ipsec
communications will fail. If you have a request policy, then communications will
still happen unsecured. However if you have a require policy then ipsec
communications will fail that are defined in the policy filter. Keep in mind
that only traffic defined in the rule will be encrypted [if using ESP ], while
any broadcast type traffic will not. The ipsec monitor mmc snapin will give you
statistics in the quick mode section that include data on encrypted
raffic. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
 
W

william

Steven Umbach said:
Main mode is "phase one" and is not port protocol specific like quick mode which
is "phase two". If the computers don't authenticate with each other then ipsec
communications will fail. If you have a request policy, then communications will
still happen unsecured. However if you have a require policy then ipsec
communications will fail that are defined in the policy filter. Keep in mind
that only traffic defined in the rule will be encrypted [if using ESP ], while
any broadcast type traffic will not. The ipsec monitor mmc snapin will give you
statistics in the quick mode section that include data on encrypted
raffic. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
Click to expand...

Thanks!

So, main mode is creating the "tunnel" between the computers, and quick mode
is establishing particular (UDP, TCP, etc) connections?

I suppose I should only have one rule that has the default response
checkbox checked, which means (I guess) that that rule is the one
to apply to any computer connections that are not covered by any
existing rules.
 
S

Steven Umbach

That's pretty much how I understand it. The quick mode can not be established
until the main mode has. If you look in ipsec monitor you will see security
associations established for both main and quick mode when ipsec is working. The
default response rule is the same as the client/respond rule which would allow
possible ipsec communications with other computers that are not trying to
communicate within the bounds of other rules configured in the policy. --- Steve

william said:
"Steven Umbach" <[email protected]> wrote in message
Main mode is "phase one" and is not port protocol specific like quick mode which
is "phase two". If the computers don't authenticate with each other then ipsec
communications will fail. If you have a request policy, then communications will
still happen unsecured. However if you have a require policy then ipsec
communications will fail that are defined in the policy filter. Keep in mind
that only traffic defined in the rule will be encrypted [if using ESP ], while
any broadcast type traffic will not. The ipsec monitor mmc snapin will give you
statistics in the quick mode section that include data on encrypted
raffic. --- Steve

http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp
Click to expand...

Thanks!

So, main mode is creating the "tunnel" between the computers, and quick mode
is establishing particular (UDP, TCP, etc) connections?

I suppose I should only have one rule that has the default response
checkbox checked, which means (I guess) that that rule is the one
to apply to any computer connections that are not covered by any
existing rules.
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AES support in Windows Vista IPsecurity configuration 2
ipsec / ike kbyte lifetime 1
IPSec preshared key in transport mode (no tunnel) 1
IPSec Services failed Event ID: 615 1
Bypass Firewall with IPSEC 1
Failure Audits in the secruity log Event Viewer 3
Help IPSec services causing broadband to disconnect! 1
IPSec on webserver 3

Top