sniff ipsec tunnel - Network

This is a discussion on sniff ipsec tunnel - Network ; Hello, I've setup an IPSEC tunnel between two 2003 Server hosts. The tunnel is wide open and working fine. I'd like to begin filtering ports inside the tunnel but I'm not sure which ports are legitimately being used. Both of ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: sniff ipsec tunnel

  1. sniff ipsec tunnel

    Hello,
    I've setup an IPSEC tunnel between two 2003 Server hosts. The tunnel is
    wide open and working fine. I'd like to begin filtering ports inside the
    tunnel but I'm not sure which ports are legitimately being used. Both of
    these hosts are in the same AD domain and I know they use a wide variety of
    ports. I'm curious if there is a way to "sniff" the traffic inside the
    tunnel so that when I begin filtering I don't accidentally block a port
    that's being used.

    Thank you,
    Eric

  2. Re: sniff ipsec tunnel

    I don't know of a way to do exactly what you want but you can install port
    reporter on each computer to monitor port activity, enable more advanced
    logging of ipsec to record events that may help, use the mmc snapin for IP
    Security to see what security association are being created and used, and
    try TDImon from SysInternals/Microsoft to see if it can show at least some
    port activity that may help. Sometimes one uses trial and error by locking
    down the policy until something breaks or starting off so nothing works and
    tweaking your policy filters until it does work. Also sniffing traffic
    before you implement the ipsec policy will give you an idea of what ports
    are being used if that is possible.

    Steve

    http://www.microsoft.com/downloads/d...displaylang=en
    http://technet2.microsoft.com/Window....mspx?mfr=true

    "referee" wrote in message
    news:954FFDC5-40C6-4F9E-9773-A291A2CB6967@microsoft.com...
    > Hello,
    > I've setup an IPSEC tunnel between two 2003 Server hosts. The tunnel is
    > wide open and working fine. I'd like to begin filtering ports inside the
    > tunnel but I'm not sure which ports are legitimately being used. Both of
    > these hosts are in the same AD domain and I know they use a wide variety
    > of
    > ports. I'm curious if there is a way to "sniff" the traffic inside the
    > tunnel so that when I begin filtering I don't accidentally block a port
    > that's being used.
    >
    > Thank you,
    > Eric




  3. Re: sniff ipsec tunnel

    Thanks Steven, I'll give your suggestions a try.
    -Eric

    "Steven L Umbach" wrote:

    > I don't know of a way to do exactly what you want but you can install port
    > reporter on each computer to monitor port activity, enable more advanced
    > logging of ipsec to record events that may help, use the mmc snapin for IP
    > Security to see what security association are being created and used, and
    > try TDImon from SysInternals/Microsoft to see if it can show at least some
    > port activity that may help. Sometimes one uses trial and error by locking
    > down the policy until something breaks or starting off so nothing works and
    > tweaking your policy filters until it does work. Also sniffing traffic
    > before you implement the ipsec policy will give you an idea of what ports
    > are being used if that is possible.
    >
    > Steve
    >
    > http://www.microsoft.com/downloads/d...displaylang=en
    > http://technet2.microsoft.com/Window....mspx?mfr=true
    >
    > "referee" wrote in message
    > news:954FFDC5-40C6-4F9E-9773-A291A2CB6967@microsoft.com...
    > > Hello,
    > > I've setup an IPSEC tunnel between two 2003 Server hosts. The tunnel is
    > > wide open and working fine. I'd like to begin filtering ports inside the
    > > tunnel but I'm not sure which ports are legitimately being used. Both of
    > > these hosts are in the same AD domain and I know they use a wide variety
    > > of
    > > ports. I'm curious if there is a way to "sniff" the traffic inside the
    > > tunnel so that when I begin filtering I don't accidentally block a port
    > > that's being used.
    > >
    > > Thank you,
    > > Eric

    >
    >
    >


+ Reply to Thread