IPsec works sometimes - then doesn't ?? - Network

This is a discussion on IPsec works sometimes - then doesn't ?? - Network ; I configured the local security policies on a Windows 2003 Server and an XP workstation to use IPSec when the XP machine connects to a file share on the server. (Not on a domain, not using certs) Now, I'm trying ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: IPsec works sometimes - then doesn't ??

  1. IPsec works sometimes - then doesn't ??

    I configured the local security policies on a Windows 2003 Server and an XP
    workstation to use IPSec when the XP machine connects to a file share on the
    server. (Not on a domain, not using certs)

    Now, I'm trying to verify that the connection is actually encrypted, and to
    do this I'm mainly capturing packets.

    But what I'm having a problem with is that sometimes the connection is
    encrypted and sometimes it isn't. Huh? It's really strange that sometimes i
    can restart the workstation and it'll work and then i can restart again and
    it won't. Or I can make a change like enabling an IP filter and it will work
    for a little while then quit working and then i can disable the same filter
    and it will work and then again quit working.

    Does anyone else have these types of problems or have an idea what might be
    causing this???

    Here are some specifics on the current setup:
    Client:
    -Has an IP filter that has an any, any to the IP address of the server
    -Requests Security/Negotiate
    -All connections
    -No tunnel
    -Using PSK

    Server:
    -IP filter for any connecting to port 445
    -Requests Security
    -No tunnel
    -Also using PSK

  2. Re: IPsec works sometimes - then doesn't ??

    are the rules mirrored?
    is there a scenario where the server might connect back to the client and
    not be required to use ipsec for that connection?

    --
    David
    Microsoft Windows Networking
    This posting is provided "AS IS" with no warranties, and confers no rights.


    "Jeremy" wrote in message
    news3E054DF-2208-430F-A013-282158776630@microsoft.com...
    >I configured the local security policies on a Windows 2003 Server and an XP
    > workstation to use IPSec when the XP machine connects to a file share on
    > the
    > server. (Not on a domain, not using certs)
    >
    > Now, I'm trying to verify that the connection is actually encrypted, and
    > to
    > do this I'm mainly capturing packets.
    >
    > But what I'm having a problem with is that sometimes the connection is
    > encrypted and sometimes it isn't. Huh? It's really strange that
    > sometimes i
    > can restart the workstation and it'll work and then i can restart again
    > and
    > it won't. Or I can make a change like enabling an IP filter and it will
    > work
    > for a little while then quit working and then i can disable the same
    > filter
    > and it will work and then again quit working.
    >
    > Does anyone else have these types of problems or have an idea what might
    > be
    > causing this???
    >
    > Here are some specifics on the current setup:
    > Client:
    > -Has an IP filter that has an any, any to the IP address of the server
    > -Requests Security/Negotiate
    > -All connections
    > -No tunnel
    > -Using PSK
    >
    > Server:
    > -IP filter for any connecting to port 445
    > -Requests Security
    > -No tunnel
    > -Also using PSK




  3. Re: IPsec works sometimes - then doesn't ??

    David,

    Thanks for the response. The rules are the same. The client can be set to
    require or request and there is no difference. It just never seems to work
    correctly unless I unassign and assign the IP Security Policy. The server is
    not requiring because we have some clients that need to connect that don't
    support IPSec.

    "David Beder [MSFT]" wrote:

    > are the rules mirrored?
    > is there a scenario where the server might connect back to the client and
    > not be required to use ipsec for that connection?
    >
    > --
    > David
    > Microsoft Windows Networking
    > This posting is provided "AS IS" with no warranties, and confers no rights.
    >
    >
    > "Jeremy" wrote in message
    > news3E054DF-2208-430F-A013-282158776630@microsoft.com...
    > >I configured the local security policies on a Windows 2003 Server and an XP
    > > workstation to use IPSec when the XP machine connects to a file share on
    > > the
    > > server. (Not on a domain, not using certs)
    > >
    > > Now, I'm trying to verify that the connection is actually encrypted, and
    > > to
    > > do this I'm mainly capturing packets.
    > >
    > > But what I'm having a problem with is that sometimes the connection is
    > > encrypted and sometimes it isn't. Huh? It's really strange that
    > > sometimes i
    > > can restart the workstation and it'll work and then i can restart again
    > > and
    > > it won't. Or I can make a change like enabling an IP filter and it will
    > > work
    > > for a little while then quit working and then i can disable the same
    > > filter
    > > and it will work and then again quit working.
    > >
    > > Does anyone else have these types of problems or have an idea what might
    > > be
    > > causing this???
    > >
    > > Here are some specifics on the current setup:
    > > Client:
    > > -Has an IP filter that has an any, any to the IP address of the server
    > > -Requests Security/Negotiate
    > > -All connections
    > > -No tunnel
    > > -Using PSK
    > >
    > > Server:
    > > -IP filter for any connecting to port 445
    > > -Requests Security
    > > -No tunnel
    > > -Also using PSK

    >
    >
    >


  4. Re: IPsec works sometimes - then doesn't ??

    Jeremy, it would appear you have a filter mismatch. The client is proposing
    to secure all traffic with the server IP, where your server policy allows it
    only to secure 445. The IKEv1 protocol doesn't have a way for the server to
    tell the client it can only secure port 445. So the client initiation
    negotiation will fail in Quick Mode, correct ?

    Secondly, "request" mode means only if you can, and it's ok to send in the
    clear. If you have negotiation discovery patch installed, then the plaintext
    TCP SYN will be sent only 500ms after the initial IKEv1 MM SA message.

    If you change the client policy to:

    Me to Server IP, TCP, src *, dst 445, mirrored
    Negotiate: No inbound passthrough, no fallback to clear
    Auth: PSK
    No tunnel

    It should work with a server policy that says:

    From Any IP, to My IP, TCP src *, dst 445, mirrored
    Negotiate: No inbound passthrough, no fallback to clear
    Auth: PSK
    No tunnel

    Where: "inbound passthrough" is the filter action checkbox "Accept unsecured
    but always respond with IPsec" and "fallback to clear" is "Accept unsecured
    traffic with non-IPsec aware computers".


    "Jeremy" wrote:

    > David,
    >
    > Thanks for the response. The rules are the same. The client can be set to
    > require or request and there is no difference. It just never seems to work
    > correctly unless I unassign and assign the IP Security Policy. The server is
    > not requiring because we have some clients that need to connect that don't
    > support IPSec.
    >
    > "David Beder [MSFT]" wrote:
    >
    > > are the rules mirrored?
    > > is there a scenario where the server might connect back to the client and
    > > not be required to use ipsec for that connection?
    > >
    > > --
    > > David
    > > Microsoft Windows Networking
    > > This posting is provided "AS IS" with no warranties, and confers no rights.
    > >
    > >
    > > "Jeremy" wrote in message
    > > news3E054DF-2208-430F-A013-282158776630@microsoft.com...
    > > >I configured the local security policies on a Windows 2003 Server and an XP
    > > > workstation to use IPSec when the XP machine connects to a file share on
    > > > the
    > > > server. (Not on a domain, not using certs)
    > > >
    > > > Now, I'm trying to verify that the connection is actually encrypted, and
    > > > to
    > > > do this I'm mainly capturing packets.
    > > >
    > > > But what I'm having a problem with is that sometimes the connection is
    > > > encrypted and sometimes it isn't. Huh? It's really strange that
    > > > sometimes i
    > > > can restart the workstation and it'll work and then i can restart again
    > > > and
    > > > it won't. Or I can make a change like enabling an IP filter and it will
    > > > work
    > > > for a little while then quit working and then i can disable the same
    > > > filter
    > > > and it will work and then again quit working.
    > > >
    > > > Does anyone else have these types of problems or have an idea what might
    > > > be
    > > > causing this???
    > > >
    > > > Here are some specifics on the current setup:
    > > > Client:
    > > > -Has an IP filter that has an any, any to the IP address of the server
    > > > -Requests Security/Negotiate
    > > > -All connections
    > > > -No tunnel
    > > > -Using PSK
    > > >
    > > > Server:
    > > > -IP filter for any connecting to port 445
    > > > -Requests Security
    > > > -No tunnel
    > > > -Also using PSK

    > >
    > >
    > >


  5. Re: IPsec works sometimes - then doesn't ??

    Bill,

    Thanks. It seems to be working now. You were exactly right-the client was
    asking to secure all traffic and the server only traffic on 445. I changed
    the client side like you have listed below and it has yet to fail to Quick
    Mode.

    Thanks again,

    Jeremy

    "Bill" wrote:

    > Jeremy, it would appear you have a filter mismatch. The client is proposing
    > to secure all traffic with the server IP, where your server policy allows it
    > only to secure 445. The IKEv1 protocol doesn't have a way for the server to
    > tell the client it can only secure port 445. So the client initiation
    > negotiation will fail in Quick Mode, correct ?
    >
    > Secondly, "request" mode means only if you can, and it's ok to send in the
    > clear. If you have negotiation discovery patch installed, then the plaintext
    > TCP SYN will be sent only 500ms after the initial IKEv1 MM SA message.
    >
    > If you change the client policy to:
    >
    > Me to Server IP, TCP, src *, dst 445, mirrored
    > Negotiate: No inbound passthrough, no fallback to clear
    > Auth: PSK
    > No tunnel
    >
    > It should work with a server policy that says:
    >
    > From Any IP, to My IP, TCP src *, dst 445, mirrored
    > Negotiate: No inbound passthrough, no fallback to clear
    > Auth: PSK
    > No tunnel
    >
    > Where: "inbound passthrough" is the filter action checkbox "Accept unsecured
    > but always respond with IPsec" and "fallback to clear" is "Accept unsecured
    > traffic with non-IPsec aware computers".
    >
    >
    > "Jeremy" wrote:
    >
    > > David,
    > >
    > > Thanks for the response. The rules are the same. The client can be set to
    > > require or request and there is no difference. It just never seems to work
    > > correctly unless I unassign and assign the IP Security Policy. The server is
    > > not requiring because we have some clients that need to connect that don't
    > > support IPSec.
    > >
    > > "David Beder [MSFT]" wrote:
    > >
    > > > are the rules mirrored?
    > > > is there a scenario where the server might connect back to the client and
    > > > not be required to use ipsec for that connection?
    > > >
    > > > --
    > > > David
    > > > Microsoft Windows Networking
    > > > This posting is provided "AS IS" with no warranties, and confers no rights.
    > > >
    > > >
    > > > "Jeremy" wrote in message
    > > > news3E054DF-2208-430F-A013-282158776630@microsoft.com...
    > > > >I configured the local security policies on a Windows 2003 Server and an XP
    > > > > workstation to use IPSec when the XP machine connects to a file share on
    > > > > the
    > > > > server. (Not on a domain, not using certs)
    > > > >
    > > > > Now, I'm trying to verify that the connection is actually encrypted, and
    > > > > to
    > > > > do this I'm mainly capturing packets.
    > > > >
    > > > > But what I'm having a problem with is that sometimes the connection is
    > > > > encrypted and sometimes it isn't. Huh? It's really strange that
    > > > > sometimes i
    > > > > can restart the workstation and it'll work and then i can restart again
    > > > > and
    > > > > it won't. Or I can make a change like enabling an IP filter and it will
    > > > > work
    > > > > for a little while then quit working and then i can disable the same
    > > > > filter
    > > > > and it will work and then again quit working.
    > > > >
    > > > > Does anyone else have these types of problems or have an idea what might
    > > > > be
    > > > > causing this???
    > > > >
    > > > > Here are some specifics on the current setup:
    > > > > Client:
    > > > > -Has an IP filter that has an any, any to the IP address of the server
    > > > > -Requests Security/Negotiate
    > > > > -All connections
    > > > > -No tunnel
    > > > > -Using PSK
    > > > >
    > > > > Server:
    > > > > -IP filter for any connecting to port 445
    > > > > -Requests Security
    > > > > -No tunnel
    > > > > -Also using PSK
    > > >
    > > >
    > > >


+ Reply to Thread