Re: Questions about IPSEC
Question 1: Subnet notation
When entering in the destination subnet for a legacy IKE policy, the UI
wants the CIDR notation. So instead of using the subnet mask of
255.255.255.0, you'll need to enter in 192.168.1.0/24.
Question 2: Limit Access to a single folder
With IPsec and the IKEv1 implementation that shipped starting with Win2000,
you can only control authentication for computer accounts. There is no
support for user authentication. You can combine IPsec machine
authentication with folder permissions to control access.
Question 2: Exemption Groups
The use of policies and exemption groups depends on your chosen design. For
instance, if you deploy an active IPsec policy that protects all traffic on
hte 192.168.1.0/24 subnet, but have one machine on that subnet that you do
not want to block or apply IPsec to, you could author a simple policy such
Any to 192.168.1.0/24, use Certificate Authentication, Require IPsec
inbound, Request IPsec outbound
Me to 192.168.1.5, Permit
Me to Any, ICMP, Permit
-The above would require the use of IPsec for all traffic on hte subnet,
except for ICP and any traffic to/from the machine with hte 192.168.1.5
Question 3: Test Certificates
I don't know of an easy way to obtain a test certificate other than to set
up a simple standalone Certificate server on Windows and generate a basic
x.509 digital cert for the clients...
Question 4: Viewing data in transit
Whether or not you can view the payloads of IPsec protected packets depends
on where you are capturing the trafffic from and what protocols you chose to
use in your deployment. IPsec supports the use of either AH, ESP-Null or
ESP+Encryption or AH+ESP. You choose the protocols that your deployment
uses in the Security Methods for the Filter Actions you define. If you are
using AH or ESP-Null (ESP with Integrity algorithms only) and have a capture
utility like MS Network Monitor 3.1 and are capturing from the host
sending/receiving the traffic, you will be able to see the data payloads.
The same goes for the ESP-Null traffic. if the protocol you have chosen is
ESP+Encryption, the data will not be viewable.
"Tarantino" <Tarantino@discussions.microsoft.com> wrote in message
> Ive been reading a few links provided by Bill in my last post (thanks for
> those) about understanding IPSEC.
> I have a better idea about what it does etc but i have a few scenarios
> i would like to ask about.
> 1. In the step by step manual titled Setting up ipsec server and domain
> isolations in a test lab, top of page 11 it asks me to enter a subnet mask
> 255.255.255.0. When i enter this into the box under IP address or Subnet
> Windows Server 2008 GPO)i get an error that the value must be less than
> (i think) - how can i overcome this error when my subnet is 255.255.255.0
> why is it doing this?
> 2. I have 2 PCs and 1 server for my tests:
> Server IP: 192.168.1.2
> Client PC 1: 192.168.1.3 - member of domain
> Client PC 2 - NOT CONNECTED TO DOMAIN: 192.168.1.4
> all using the subnet 255.255.255.0. So far its configured to have Server
> Client pc 1 talking but not client pc 2 - Is it possible for me to give
> access so client pc 2 only has access to ONE folder on the server or
> PC 1? If yes how and if no when i make an exemptions group do i have to
> assign it an IP address to allow this PC?
> 3. Ive seen that i can use a certificate to encrypt this data - How could
> create or obtain a test certificate to use internally only between clients
> and servers and how would i know this certificate is doing what its
> 4. Finally......Ive watched a few webcasts and read a few articles. Im
> the impression that data in transit can be viewed. Does Microsoft have any
> tools that i could see the data being sent without IPsec in place and then
> again with IPsec in place? This is for learning purposes and to be used
> in our own domain/network.
> Thanks in advance and sorry for the lengthy questions.[/color]