Encrypting traffic with IPSec - Network

This is a discussion on Encrypting traffic with IPSec - Network ; I'm running Windows 2000 Server and would like to encryption the network traffic of mapped drives from the clients to the server. The server and the clients are not in a domain, and I'm not running Certificate Services. How do ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Encrypting traffic with IPSec

  1. Encrypting traffic with IPSec

    I'm running Windows 2000 Server and would like to encryption the network
    traffic of mapped drives from the clients to the server. The server and the
    clients are not in a domain, and I'm not running Certificate Services. How
    do I encrypt the traffic? Thank you.



  2. Re: Encrypting traffic with IPSec

    Since you are not in a domain nor can currently use certificates then your
    only option is to use a preshared key for computer authentication and use
    the same preshared key on all your client computers and the server. You
    would want to configure a request or require ipsec policy [depending on if
    you want to make sure all traffic is ipsec or only when possible] on the
    server for at least TCP ports 139 and 445 as the destination ports with the
    source ports being any and where the destination IP would be the server's IP
    [My Ip] and the source IP would be any. Under authentication methods you
    would want to add only the preshared key you intend to use. Keep in mind
    that the preshared key is stored in the registry in clear text. It would not
    be that hard to make your server a CA to issue some certificates to use for
    ipsec but even then I would suggest that you use preshared key to at least
    make sure that the ipsec policy is working correctly. The command line tool
    ipsecmon can help you determine if the ipsec policy is working as expected
    or not. The links below may be helpful. --- Steve

    http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    http://www.securityfocus.com/infocus/1559 --- a primer on creating a
    custom ipsec policy but in your case you want to use negotiate security
    method to insure traffic is encrypted via ESP.

    "Michael W White" wrote in message
    news:evKfBwPeGHA.3572@TK2MSFTNGP03.phx.gbl...
    > I'm running Windows 2000 Server and would like to encryption the network
    > traffic of mapped drives from the clients to the server. The server and
    > the clients are not in a domain, and I'm not running Certificate Services.
    > How do I encrypt the traffic? Thank you.
    >




  3. Re: Encrypting traffic with IPSec

    We change the server. The new server is running Windows Server 2003. I set
    up IPSec for encrypting traffic using a preshared key. I'm unable to access
    the server via Remote Desktop Connection nor its mapped drives. When I
    disable the IPSec filter for encryption, I can access the server again. Do I
    have to make adjustments to the Windows firewall? Thank you.

    "Steven L Umbach" wrote in message
    news:%23P2mZGSeGHA.3572@TK2MSFTNGP03.phx.gbl...
    > Since you are not in a domain nor can currently use certificates then your
    > only option is to use a preshared key for computer authentication and use
    > the same preshared key on all your client computers and the server. You
    > would want to configure a request or require ipsec policy [depending on if
    > you want to make sure all traffic is ipsec or only when possible] on the
    > server for at least TCP ports 139 and 445 as the destination ports with
    > the source ports being any and where the destination IP would be the
    > server's IP [My Ip] and the source IP would be any. Under authentication
    > methods you would want to add only the preshared key you intend to use.
    > Keep in mind that the preshared key is stored in the registry in clear
    > text. It would not be that hard to make your server a CA to issue some
    > certificates to use for ipsec but even then I would suggest that you use
    > preshared key to at least make sure that the ipsec policy is working
    > correctly. The command line tool ipsecmon can help you determine if the
    > ipsec policy is working as expected or not. The links below may be
    > helpful. --- Steve
    >
    > http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    > http://www.securityfocus.com/infocus/1559 --- a primer on creating a
    > custom ipsec policy but in your case you want to use negotiate security
    > method to insure traffic is encrypted via ESP.
    >
    > "Michael W White" wrote in message
    > news:evKfBwPeGHA.3572@TK2MSFTNGP03.phx.gbl...
    >> I'm running Windows 2000 Server and would like to encryption the network
    >> traffic of mapped drives from the clients to the server. The server and
    >> the clients are not in a domain, and I'm not running Certificate
    >> Services. How do I encrypt the traffic? Thank you.
    >>

    >
    >




  4. Re: Encrypting traffic with IPSec

    If it does not put the server at risk temporarily disable it's Windows
    Firewall to see if ipsec does work and if it does you know the problem is
    probably the ipsec exemption needs to be enabled in local Group Policy. If
    the Windows Firewall has logging enabled for dropped traffic that could also
    show if ipsec traffic is being dropped from the client computer. If it still
    does not work then there is a problem with the ipsec policy between the two
    computers. Make sure that preshared key is the only authentication method
    available and remove Kerberos or certificate if present. The link below
    shows how to enable the ipsec exemption. I have not tried it myself and the
    example assumes the computers are in a domain so I am not sure it will work
    in a non domain environment and would try using the SID for the
    authenticated users group as in OAGADA;;RCGW;;;S-1-5-11). The second
    link shows how to troubleshoot ipsec and usually a good place to start is
    with the security log on the computers involved and using the mmc snapin for
    IP Security Monitor. --- Steve

    http://technet2.microsoft.com/Window....mspx?mfr=true
    http://www.microsoft.com/technet/sec.../ipsecch7.mspx



    "Michael W White" wrote in message
    news:OaPswSLjGHA.3848@TK2MSFTNGP04.phx.gbl...
    > We change the server. The new server is running Windows Server 2003. I
    > set up IPSec for encrypting traffic using a preshared key. I'm unable to
    > access the server via Remote Desktop Connection nor its mapped drives.
    > When I disable the IPSec filter for encryption, I can access the server
    > again. Do I have to make adjustments to the Windows firewall? Thank you.
    >
    > "Steven L Umbach" wrote in message
    > news:%23P2mZGSeGHA.3572@TK2MSFTNGP03.phx.gbl...
    >> Since you are not in a domain nor can currently use certificates then
    >> your only option is to use a preshared key for computer authentication
    >> and use the same preshared key on all your client computers and the
    >> server. You would want to configure a request or require ipsec policy
    >> [depending on if you want to make sure all traffic is ipsec or only when
    >> possible] on the server for at least TCP ports 139 and 445 as the
    >> destination ports with the source ports being any and where the
    >> destination IP would be the server's IP [My Ip] and the source IP would
    >> be any. Under authentication methods you would want to add only the
    >> preshared key you intend to use. Keep in mind that the preshared key is
    >> stored in the registry in clear text. It would not be that hard to make
    >> your server a CA to issue some certificates to use for ipsec but even
    >> then I would suggest that you use preshared key to at least make sure
    >> that the ipsec policy is working correctly. The command line tool
    >> ipsecmon can help you determine if the ipsec policy is working as
    >> expected or not. The links below may be helpful. --- Steve
    >>
    >> http://www.microsoft.com/technet/sec.../ipsecapa.mspx
    >> http://www.securityfocus.com/infocus/1559 --- a primer on creating a
    >> custom ipsec policy but in your case you want to use negotiate security
    >> method to insure traffic is encrypted via ESP.
    >>
    >> "Michael W White" wrote in message
    >> news:evKfBwPeGHA.3572@TK2MSFTNGP03.phx.gbl...
    >>> I'm running Windows 2000 Server and would like to encryption the
    >>> network traffic of mapped drives from the clients to the server. The
    >>> server and the clients are not in a domain, and I'm not running
    >>> Certificate Services. How do I encrypt the traffic? Thank you.
    >>>

    >>
    >>

    >
    >




+ Reply to Thread