lan ipsec ws2003 / xp pro deplyoyment

[Guest]

anyone find an easy way to deploy pptp or l2tp between a ws2003 server, and xp pro client, both are using dhcp .

so nothing remote, just lan (server to client pptp) with dhcp assigned ips (wireless) via ap plugged into the linksys router, server and pc have only one nic in each.

 

[Steven L Umbach]

You will need to use pptp since l2tp requires machine certificates which would
require you to make your sever a Certificate Authority. You would have to enable
Remote Access on the server and configure it and then configure your XP computer to
have a vpn network connection. But since you are using the lan, I think it will be a
lot easier to use ipsec in transport mode configuring each computer to use the same
preshared key for machine authentication. If you use ipsec pre shared key [policy/all
ip traffic/edit/authentication methods/add/use this key], the communications will be
secure however the preshared key will be stored in the registry in clear text which
should not be a concern if you use a firewall to the internet and malicious users can
not physically access your computers. You could go to Local Security Policy of each
computer and configure the wireless computer with the require policy and the server
with the request policy. Using request policy on both computers should enable secure
ipsec communications, but require on the laptop would insure it. Keep in mind that
the laptop would not be able to access the internet with a require policy unless you
put an exemption rule in for internet traffic such as port 80 tcp, port 443 tcp, port
53 udp, etc. You can use the ipsec monitoring mmc snapin to make sure your traffic is
being ipsec secured. --- Steve

anyone find an easy way to deploy pptp or l2tp between a ws2003 server, and xp pro client, both are using dhcp .

so nothing remote, just lan (server to client pptp) with dhcp assigned ips

(wireless) via ap plugged into the linksys router, server and pc have only one nic in
each.

 

[Guest]

Hi Steven,
Thanks for the extensive reply. I've been working on this for a few hours. I've loaded the local ipsec policy mgmt snap in on the server pc and assigned request only, and have tried with local ipsec policy mgmt snap-in loaded on client and unloaded, using just the updated nat traversal fixed client.

the "800" errors go away, and the machines do try to communicate but after 30 seconds or so, a cannot connect error box comes up (explicit ip addresses are entered in the vpn config new connections) the systems lose their net connections or auto settings from the linksys router providing dhcp to the server and client.

running mmc and un-assigning the server request policy allows reconnection of the server and pc to the net. i think i need to back up and assign the server and pc with static ips and take the linksys dhcp behavior out of the equation.

 

[Steven L Umbach]

From your first post I am assuming that these computers are on the same network and
you are not doing this across a router/over the internet. Ipsec transport mode is
totally separate from any vpn configuration and does not require a vpn connection.
The default policies have my address as source address and any as destination
address. I think they should work that way, but it would not hurt to use static
addresses especially on a require policy. Make sure that the preshared keys are the
same on the policies on both computers and that they are first in the list as
authentication methods to try. I don't think you are using a domain controller, but
just in case ipsec can not be used to secure traffic between a domain controller and
a domain member. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;324269
http://www.microsoft.com/downloads/...ee-e618-4810-a036-de633f79872e&DisplayLang=en
http://tinyurl.com/2f3hb same link as above, shorter. You may want to read chapter
six.

Hi Steven,
Thanks for the extensive reply. I've been working on this for a few hours. I've

loaded the local ipsec policy mgmt snap in on the server pc and assigned request
only, and have tried with local ipsec policy mgmt snap-in loaded on client and
unloaded, using just the updated nat traversal fixed client.

the "800" errors go away, and the machines do try to communicate but after 30

seconds or so, a cannot connect error box comes up (explicit ip addresses are entered
in the vpn config new connections) the systems lose their net connections or auto
settings from the linksys router providing dhcp to the server and client.

running mmc and un-assigning the server request policy allows reconnection of the

server and pc to the net. i think i need to back up and assign the server and pc
with static ips and take the linksys dhcp behavior out of the equation.

 

[Guest]

Thanks again Steven
Here are more details

active directory on the ws2003 server pc is not enabled. They are on the same home lan (this is more an experiment than trying to secure anything) using ips from the linksys 4 port switch/router. both server pc, and client xp pc are on wireless, as an .11b AP is plugged into the router, so the pc's *are* going through the router whose wan port goes to a cable modem to the net

so the ws2003 server gets a dhcp from the linksys (router is 192.168.1.1), and gives out 192.168.1.103 to the ws2003 pc, and 192.168.1.101 to the xp pc. each pc has only 1 network (wireless) interface active

i've tried pptp instead of auto to minimize key exchange issues, and i've also used preshared key. the linksys firmware has ipsec and vpn passthrough enabled

the ipsec connections between the pc and server are not communicating, and enabling of the server's snap in with server request assigned, disables it's main network connection. the pc is not going through the server, they are both attaching to the linksys through the ap and either can be turned off and the will run fine for net access

i'm not sure that an ipsec connection (without disabling main tcp connection!) with single nics on each pc on the same subnet with dhcp assigned addresses from a linksys router can work, at least with the ws2003 enterp ed, and xp pro (sp1). if you know otherwise, or have plug ins you could send, that would be great, i will keep working on this. Thanks

 

[Steven L Umbach]

Hi John.

From the description of your network, there should be no reason the use a
vpn [unless you just want to try it out of course]. Ipsec alone should be
able to secure communications on the lan. Since your computers are on the
same network - 192.168.1.xxx , they are not actually using the router to
communicate with each other, but are simply going through the switch. They
only use the router to connect to other network such as the internet.

Ipsec configuration is totally separate from vpn. It may be confusing
because ipsec ESP however is used for encryption in l2tp.

All you should need to do to use ipsec to secure lan communications using
normal transport mode is to configure the Local Security Policy/security
settings/ipsec security policy on each computer - no need to try configuring
a vpn connection. When ipsec policy is configured correctly it requires no
action on the part of the user and transparently secures network traffic
according to the rules in the policy. I would suggest you start by assigning
the request policy [right click policy/assign] on each computer, but editing
the all ip rule for authentication methods and select add use this
string/preshared key where you would enter your "password" for the ipsec
rule being sure to move it to the top of the list above kerberos. The
request policy will allow ipsec aware computers to secure communications
with each other as defined in the policy rules, but still allow
comminucations with non ipsec aware computers such as the internet.

Of course you will want to verify that network traffic is indeed being
secured between your two computers after configuring and assigning the ipsec
policies. To do that enter mmc in the run box to bring up the MMC and then
select file/add&remove snapin/add - select ipsec security monitor and close
the available snapin window and hit OK. Then you select your computer and in
main mode and quick mode look at security associations to see if your ipsec
configuration is correct in that an encrypted session has been set up. Look
under the columns for ESP confidentiality and ESP integrity to see if
something like 3DES and HMAC-MD5 are showing which will indicate that your
security association to the computer specified in the SA is encrypting data
according to the rules in the ipsec policy. Hope some of this helps. ---
Steve

Thanks again Steven,
Here are more details:

active directory on the ws2003 server pc is not enabled. They are on the

same home lan (this is more an experiment than trying to secure anything)
using ips from the linksys 4 port switch/router. both server pc, and client
xp pc are on wireless, as an .11b AP is plugged into the router, so the pc's
*are* going through the router whose wan port goes to a cable modem to the
net.

so the ws2003 server gets a dhcp from the linksys (router is 192.168.1.1),

and gives out 192.168.1.103 to the ws2003 pc, and 192.168.1.101 to the xp
pc. each pc has only 1 network (wireless) interface active.

i've tried pptp instead of auto to minimize key exchange issues, and i've

also used preshared key. the linksys firmware has ipsec and vpn passthrough
enabled.

the ipsec connections between the pc and server are not communicating, and

enabling of the server's snap in with server request assigned, disables it's
main network connection. the pc is not going through the server, they are
both attaching to the linksys through the ap and either can be turned off
and the will run fine for net access.

i'm not sure that an ipsec connection (without disabling main tcp

connection!) with single nics on each pc on the same subnet with dhcp
assigned addresses from a linksys router can work, at least with the ws2003
enterp ed, and xp pro (sp1). if you know otherwise, or have plug ins you
could send, that would be great, i will keep working on this. Thanks!

 

[Guest]

Steven,
Thanks so much. I have it working!! Some of the steps were slightly different, but it is probably due to some overzealous downloading here and there. Anyways, the monitor shows the authenticated and confidential traffic, only the server shows "statistics", but I am able to add the server, and the pc to the server's ipsec security monitor and view. I'm using preshared key, 3des, sha1, dh medium.

My next step is I'd like to do vpns, at least pptp tunnels between the server and pc, without losing simultaneous unencrypted open connectivity with through the linksys router to the net, is this possible in any way?

Thanks again!

 

[Steven L Umbach]

That's good to hear and yes you can set up vpn connections on the lan if you
want to. Just configure your rras server in Remote Access Management being
sure to have ports available for l2tp and pptp which there should be five
each by default I believe. You may also want to configure a ip static
address pool [computer/properties/ip] of at least a dozen IP addresses in a
range that does not conflict with the addresses that your router hands out.
When you configure your vpn connectoid on the XP machine, set the LAN IP
address of the W2003 server as the IP address in host name/ip address
destination. Since you are on the lan and not going through the NAT router
you can try pptp or l2tp. Unless you make your W2003 server a Certificate
Authority and issue machine certificates [using Web Enrollment ipsec offline
template to obtain XP machine certificate] to both computers and set the
W2003 CA as a trusted root authority on the XP computer, you will have to
again use matching preshared keys for a l2tp vpn connection. You can do that
on the W2003 server in Remote Access/servername/properties/security/use
custom ipsec and on the XP vpn connectoid in properties/security/ipsec
settings. Have fun. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323441

Steven,
Thanks so much. I have it working!! Some of the steps were slightly

different, but it is probably due to some overzealous downloading here and
there. Anyways, the monitor shows the authenticated and confidential
traffic, only the server shows "statistics", but I am able to add the
server, and the pc to the server's ipsec security monitor and view. I'm
using preshared key, 3des, sha1, dh medium.

My next step is I'd like to do vpns, at least pptp tunnels between the

server and pc, without losing simultaneous unencrypted open connectivity
with through the linksys router to the net, is this possible in any way?