Questions about IPSEC - Network

This is a discussion on Questions about IPSEC - Network ; Ive been reading a few links provided by Bill in my last post (thanks for those) about understanding IPSEC. I have a better idea about what it does etc but i have a few scenarios that i would like to ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Questions about IPSEC

  1. Questions about IPSEC

    Ive been reading a few links provided by Bill in my last post (thanks for
    those) about understanding IPSEC.

    I have a better idea about what it does etc but i have a few scenarios that
    i would like to ask about.

    1. In the step by step manual titled Setting up ipsec server and domain
    isolations in a test lab, top of page 11 it asks me to enter a subnet mask of
    255.255.255.0. When i enter this into the box under IP address or Subnet (in
    Windows Server 2008 GPO)i get an error that the value must be less than 240
    (i think) - how can i overcome this error when my subnet is 255.255.255.0 and
    why is it doing this?

    2. I have 2 PCs and 1 server for my tests:
    Server IP: 192.168.1.2
    Client PC 1: 192.168.1.3 - member of domain
    Client PC 2 - NOT CONNECTED TO DOMAIN: 192.168.1.4

    all using the subnet 255.255.255.0. So far its configured to have Server and
    Client pc 1 talking but not client pc 2 - Is it possible for me to give
    access so client pc 2 only has access to ONE folder on the server or client
    PC 1? If yes how and if no when i make an exemptions group do i have to
    assign it an IP address to allow this PC?

    3. Ive seen that i can use a certificate to encrypt this data - How could i
    create or obtain a test certificate to use internally only between clients
    and servers and how would i know this certificate is doing what its suppose
    to?

    4. Finally......Ive watched a few webcasts and read a few articles. Im under
    the impression that data in transit can be viewed. Does Microsoft have any
    tools that i could see the data being sent without IPsec in place and then
    again with IPsec in place? This is for learning purposes and to be used only
    in our own domain/network.

    Thanks in advance and sorry for the lengthy questions.

  2. Re: Questions about IPSEC

    Question 1: Subnet notation
    When entering in the destination subnet for a legacy IKE policy, the UI
    wants the CIDR notation. So instead of using the subnet mask of
    255.255.255.0, you'll need to enter in 192.168.1.0/24.

    Question 2: Limit Access to a single folder
    With IPsec and the IKEv1 implementation that shipped starting with Win2000,
    you can only control authentication for computer accounts. There is no
    support for user authentication. You can combine IPsec machine
    authentication with folder permissions to control access.

    Question 2: Exemption Groups
    The use of policies and exemption groups depends on your chosen design. For
    instance, if you deploy an active IPsec policy that protects all traffic on
    hte 192.168.1.0/24 subnet, but have one machine on that subnet that you do
    not want to block or apply IPsec to, you could author a simple policy such
    as:
    Any to 192.168.1.0/24, use Certificate Authentication, Require IPsec
    inbound, Request IPsec outbound
    Me to 192.168.1.5, Permit
    Me to Any, ICMP, Permit

    -The above would require the use of IPsec for all traffic on hte subnet,
    except for ICP and any traffic to/from the machine with hte 192.168.1.5
    address.


    Question 3: Test Certificates
    I don't know of an easy way to obtain a test certificate other than to set
    up a simple standalone Certificate server on Windows and generate a basic
    x.509 digital cert for the clients...
    http://technet2.microsoft.com/window....mspx?mfr=true


    Question 4: Viewing data in transit
    Whether or not you can view the payloads of IPsec protected packets depends
    on where you are capturing the trafffic from and what protocols you chose to
    use in your deployment. IPsec supports the use of either AH, ESP-Null or
    ESP+Encryption or AH+ESP. You choose the protocols that your deployment
    uses in the Security Methods for the Filter Actions you define. If you are
    using AH or ESP-Null (ESP with Integrity algorithms only) and have a capture
    utility like MS Network Monitor 3.1 and are capturing from the host
    sending/receiving the traffic, you will be able to see the data payloads.
    The same goes for the ESP-Null traffic. if the protocol you have chosen is
    ESP+Encryption, the data will not be viewable.
    http://www.microsoft.com/downloads/d...DisplayLang=en

    Thanks,
    Jason



    "Tarantino" wrote in message
    news:431E4C89-F315-4461-9402-7687139841E5@microsoft.com...
    > Ive been reading a few links provided by Bill in my last post (thanks for
    > those) about understanding IPSEC.
    >
    > I have a better idea about what it does etc but i have a few scenarios
    > that
    > i would like to ask about.
    >
    > 1. In the step by step manual titled Setting up ipsec server and domain
    > isolations in a test lab, top of page 11 it asks me to enter a subnet mask
    > of
    > 255.255.255.0. When i enter this into the box under IP address or Subnet
    > (in
    > Windows Server 2008 GPO)i get an error that the value must be less than
    > 240
    > (i think) - how can i overcome this error when my subnet is 255.255.255.0
    > and
    > why is it doing this?
    >
    > 2. I have 2 PCs and 1 server for my tests:
    > Server IP: 192.168.1.2
    > Client PC 1: 192.168.1.3 - member of domain
    > Client PC 2 - NOT CONNECTED TO DOMAIN: 192.168.1.4
    >
    > all using the subnet 255.255.255.0. So far its configured to have Server
    > and
    > Client pc 1 talking but not client pc 2 - Is it possible for me to give
    > access so client pc 2 only has access to ONE folder on the server or
    > client
    > PC 1? If yes how and if no when i make an exemptions group do i have to
    > assign it an IP address to allow this PC?
    >
    > 3. Ive seen that i can use a certificate to encrypt this data - How could
    > i
    > create or obtain a test certificate to use internally only between clients
    > and servers and how would i know this certificate is doing what its
    > suppose
    > to?
    >
    > 4. Finally......Ive watched a few webcasts and read a few articles. Im
    > under
    > the impression that data in transit can be viewed. Does Microsoft have any
    > tools that i could see the data being sent without IPsec in place and then
    > again with IPsec in place? This is for learning purposes and to be used
    > only
    > in our own domain/network.
    >
    > Thanks in advance and sorry for the lengthy questions.



+ Reply to Thread