how to configure IPsec tunnel rule in windows vista - Network

This is a discussion on how to configure IPsec tunnel rule in windows vista - Network ; In windows vista, I used the creating new rule wizard in connection security rule of windows firewall and advanced security to create a tunnel rule, if I don't configure any firwall rules, and if I trigger some outbound traffic, the ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: how to configure IPsec tunnel rule in windows vista

  1. how to configure IPsec tunnel rule in windows vista

    In windows vista, I used the creating new rule wizard in connection security
    rule of windows firewall and advanced security to create a tunnel rule, if I
    don't configure any firwall rules, and if I trigger some outbound traffic,
    the traffic will just go throu without applying the IPsec policy. If I
    configure two filter rules in the inbound rules and outbound rules, one for
    inbound and the other for outbound and requie security on the two rules. the
    rules will block the traffic if I trigger traffic and there is no IPSec
    negotation can be triggered. Can someone help? How the firewall rules and
    IPSec rules connected?
    Thanks a lot!

    Tinghua

  2. Re: how to configure IPsec tunnel rule in windows vista

    Are you really trying to create a _tunnel_ rule? That's actually not
    recommended if you simply want to secure traffic between two computers. It's
    long been a part of the vocabulary, but really there's no such thing as an
    "IPsec tunnel." Instead, there are two modes that IPsec policies can operate
    in: tunnel mode and transport mode. Tunnel mode is used pretty much only
    between gateway computers (like creating a VPN between two networks).
    Transport mode is used in all other cases.

    What you probably want to create is a server-to-server rule (yes, this isn't
    the best name; you can use this rule even if the two computers are client
    computers or if one is a client and the other is a server). In the wizard
    you'll indicate both ends of the connection (called a "security
    association," but the wizard doesn't use this term), where you want
    authentication to occur (probably require in both directions), what kind of
    authentication you want, which profiles the rule applies to, and finally the
    rule's name.

    Note also this bit from the help file:

    Connection security rules determine only how authentication
    takes place for allowed connections; they do not allow a connection.
    However, if you configure the connection security rule to require
    authentication, the rule will deny the connection if authentication
    fails. To allow a connection, you must create an inbound or
    outbound firewall rule.

    So be sure that you also create appropriate firewall rules on both sides. It
    looks like you did that, so go back and check your IPsec rules. Use
    server-to-server, not tunnel.

    --
    Steve Riley
    steve.riley@microsoft.com
    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "Tinghua" wrote in message
    news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    > In windows vista, I used the creating new rule wizard in connection
    > security
    > rule of windows firewall and advanced security to create a tunnel rule, if
    > I
    > don't configure any firwall rules, and if I trigger some outbound traffic,
    > the traffic will just go throu without applying the IPsec policy. If I
    > configure two filter rules in the inbound rules and outbound rules, one
    > for
    > inbound and the other for outbound and requie security on the two rules.
    > the
    > rules will block the traffic if I trigger traffic and there is no IPSec
    > negotation can be triggered. Can someone help? How the firewall rules and
    > IPSec rules connected?
    > Thanks a lot!
    >
    > Tinghua



  3. Re: how to configure IPsec tunnel rule in windows vista

    Thanks. Steve. I was trying to set up an end to end tunnel, the other divice
    was capable to do IPsec tunneling. Some hint on this will be helpful.
    Another queston: is that possaible to create an IPSec policy for some
    specific protocols(e.g. TCP only) using connection security rule? it looks
    that the policy is for any to any protocols. Thanks a lot!

    Tinghua
    "Steve Riley [MSFT]" wrote:

    > Are you really trying to create a _tunnel_ rule? That's actually not
    > recommended if you simply want to secure traffic between two computers. It's
    > long been a part of the vocabulary, but really there's no such thing as an
    > "IPsec tunnel." Instead, there are two modes that IPsec policies can operate
    > in: tunnel mode and transport mode. Tunnel mode is used pretty much only
    > between gateway computers (like creating a VPN between two networks).
    > Transport mode is used in all other cases.
    >
    > What you probably want to create is a server-to-server rule (yes, this isn't
    > the best name; you can use this rule even if the two computers are client
    > computers or if one is a client and the other is a server). In the wizard
    > you'll indicate both ends of the connection (called a "security
    > association," but the wizard doesn't use this term), where you want
    > authentication to occur (probably require in both directions), what kind of
    > authentication you want, which profiles the rule applies to, and finally the
    > rule's name.
    >
    > Note also this bit from the help file:
    >
    > Connection security rules determine only how authentication
    > takes place for allowed connections; they do not allow a connection.
    > However, if you configure the connection security rule to require
    > authentication, the rule will deny the connection if authentication
    > fails. To allow a connection, you must create an inbound or
    > outbound firewall rule.
    >
    > So be sure that you also create appropriate firewall rules on both sides. It
    > looks like you did that, so go back and check your IPsec rules. Use
    > server-to-server, not tunnel.
    >
    > --
    > Steve Riley
    > steve.riley@microsoft.com
    > http://blogs.technet.com/steriley
    > http://www.protectyourwindowsnetwork.com
    >
    >
    > "Tinghua" wrote in message
    > news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    > > In windows vista, I used the creating new rule wizard in connection
    > > security
    > > rule of windows firewall and advanced security to create a tunnel rule, if
    > > I
    > > don't configure any firwall rules, and if I trigger some outbound traffic,
    > > the traffic will just go throu without applying the IPsec policy. If I
    > > configure two filter rules in the inbound rules and outbound rules, one
    > > for
    > > inbound and the other for outbound and requie security on the two rules.
    > > the
    > > rules will block the traffic if I trigger traffic and there is no IPSec
    > > negotation can be triggered. Can someone help? How the firewall rules and
    > > IPSec rules connected?
    > > Thanks a lot!
    > >
    > > Tinghua

    >
    >


  4. Re: how to configure IPsec tunnel rule in windows vista

    Alas, the term "IPsec tunnel" is so widely misused it's really hard to tell
    what the other device wants. What is the device? I suspect that it really
    wants a transport mode security association, even though they're using the
    word "tunnel."

    If you want to secure only specific traffic between two machines, you have
    to write firewall rule to describe that traffic. For instance, say you have
    a server called AlicesBox and you want to use IPsec to secure all inbound
    traffic to port 23456/tcp. First, you would create an inbound port rule,
    indicate TCP, specific port 23456. Then select "Allow the connection if it
    secure." Indicate whether or not you want the traffic encrypted. Then finish
    the wizard. After you do that, then you'd create the connection security
    rule.

    Note that, in this example, no other traffic will be permitted into
    AlicesBox. If you want to allow other traffic inbound without worrying about
    security, then you'd create another inbound rule, indicate TCP, and all
    local ports. Then select "Allow the connection." Rule processing in the
    firewall isn't by order, but by specificity. Inbound traffic to destination
    port 23456/tcp will trigger the first rule, all other traffic will trigger
    the second rule.

    --
    Steve Riley
    steve.riley@microsoft.com
    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "Tinghua" wrote in message
    news:1484A081-85D9-45CD-81E0-C2A47DAACD50@microsoft.com...
    > Thanks. Steve. I was trying to set up an end to end tunnel, the other
    > divice
    > was capable to do IPsec tunneling. Some hint on this will be helpful.
    > Another queston: is that possaible to create an IPSec policy for some
    > specific protocols(e.g. TCP only) using connection security rule? it looks
    > that the policy is for any to any protocols. Thanks a lot!
    >
    > Tinghua
    > "Steve Riley [MSFT]" wrote:
    >
    >> Are you really trying to create a _tunnel_ rule? That's actually not
    >> recommended if you simply want to secure traffic between two computers.
    >> It's
    >> long been a part of the vocabulary, but really there's no such thing as
    >> an
    >> "IPsec tunnel." Instead, there are two modes that IPsec policies can
    >> operate
    >> in: tunnel mode and transport mode. Tunnel mode is used pretty much only
    >> between gateway computers (like creating a VPN between two networks).
    >> Transport mode is used in all other cases.
    >>
    >> What you probably want to create is a server-to-server rule (yes, this
    >> isn't
    >> the best name; you can use this rule even if the two computers are client
    >> computers or if one is a client and the other is a server). In the wizard
    >> you'll indicate both ends of the connection (called a "security
    >> association," but the wizard doesn't use this term), where you want
    >> authentication to occur (probably require in both directions), what kind
    >> of
    >> authentication you want, which profiles the rule applies to, and finally
    >> the
    >> rule's name.
    >>
    >> Note also this bit from the help file:
    >>
    >> Connection security rules determine only how authentication
    >> takes place for allowed connections; they do not allow a
    >> connection.
    >> However, if you configure the connection security rule to require
    >> authentication, the rule will deny the connection if authentication
    >> fails. To allow a connection, you must create an inbound or
    >> outbound firewall rule.
    >>
    >> So be sure that you also create appropriate firewall rules on both sides.
    >> It
    >> looks like you did that, so go back and check your IPsec rules. Use
    >> server-to-server, not tunnel.
    >>
    >> --
    >> Steve Riley
    >> steve.riley@microsoft.com
    >> http://blogs.technet.com/steriley
    >> http://www.protectyourwindowsnetwork.com
    >>
    >>
    >> "Tinghua" wrote in message
    >> news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    >> > In windows vista, I used the creating new rule wizard in connection
    >> > security
    >> > rule of windows firewall and advanced security to create a tunnel rule,
    >> > if
    >> > I
    >> > don't configure any firwall rules, and if I trigger some outbound
    >> > traffic,
    >> > the traffic will just go throu without applying the IPsec policy. If I
    >> > configure two filter rules in the inbound rules and outbound rules, one
    >> > for
    >> > inbound and the other for outbound and requie security on the two
    >> > rules.
    >> > the
    >> > rules will block the traffic if I trigger traffic and there is no IPSec
    >> > negotation can be triggered. Can someone help? How the firewall rules
    >> > and
    >> > IPSec rules connected?
    >> > Thanks a lot!
    >> >
    >> > Tinghua

    >>
    >>


  5. Re: how to configure IPsec tunnel rule in windows vista

    Thanks. Steve. Your answer to my firewall rule and connection security rule
    is very helpful.
    Regarding tunnel rule, I understand your point, the end to end tunnel really
    doesn't add much compared to transport mode when IPSec is between two
    systems. But this is one thing we need to test between PC(vista) and
    printer(device) in addition to transport mode. And I still need to figure it
    out how to do it in vista. FYI. I was able to configure tunnel in XP by
    configuring two rules one for inbound and the other for outbound and it
    worked.
    Thanks!

    Tinghua

    "Steve Riley [MSFT]" wrote:

    > Alas, the term "IPsec tunnel" is so widely misused it's really hard to tell
    > what the other device wants. What is the device? I suspect that it really
    > wants a transport mode security association, even though they're using the
    > word "tunnel."
    >
    > If you want to secure only specific traffic between two machines, you have
    > to write firewall rule to describe that traffic. For instance, say you have
    > a server called AlicesBox and you want to use IPsec to secure all inbound
    > traffic to port 23456/tcp. First, you would create an inbound port rule,
    > indicate TCP, specific port 23456. Then select "Allow the connection if it
    > secure." Indicate whether or not you want the traffic encrypted. Then finish
    > the wizard. After you do that, then you'd create the connection security
    > rule.
    >
    > Note that, in this example, no other traffic will be permitted into
    > AlicesBox. If you want to allow other traffic inbound without worrying about
    > security, then you'd create another inbound rule, indicate TCP, and all
    > local ports. Then select "Allow the connection." Rule processing in the
    > firewall isn't by order, but by specificity. Inbound traffic to destination
    > port 23456/tcp will trigger the first rule, all other traffic will trigger
    > the second rule.
    >
    > --
    > Steve Riley
    > steve.riley@microsoft.com
    > http://blogs.technet.com/steriley
    > http://www.protectyourwindowsnetwork.com
    >
    >
    > "Tinghua" wrote in message
    > news:1484A081-85D9-45CD-81E0-C2A47DAACD50@microsoft.com...
    > > Thanks. Steve. I was trying to set up an end to end tunnel, the other
    > > divice
    > > was capable to do IPsec tunneling. Some hint on this will be helpful.
    > > Another queston: is that possaible to create an IPSec policy for some
    > > specific protocols(e.g. TCP only) using connection security rule? it looks
    > > that the policy is for any to any protocols. Thanks a lot!
    > >
    > > Tinghua
    > > "Steve Riley [MSFT]" wrote:
    > >
    > >> Are you really trying to create a _tunnel_ rule? That's actually not
    > >> recommended if you simply want to secure traffic between two computers.
    > >> It's
    > >> long been a part of the vocabulary, but really there's no such thing as
    > >> an
    > >> "IPsec tunnel." Instead, there are two modes that IPsec policies can
    > >> operate
    > >> in: tunnel mode and transport mode. Tunnel mode is used pretty much only
    > >> between gateway computers (like creating a VPN between two networks).
    > >> Transport mode is used in all other cases.
    > >>
    > >> What you probably want to create is a server-to-server rule (yes, this
    > >> isn't
    > >> the best name; you can use this rule even if the two computers are client
    > >> computers or if one is a client and the other is a server). In the wizard
    > >> you'll indicate both ends of the connection (called a "security
    > >> association," but the wizard doesn't use this term), where you want
    > >> authentication to occur (probably require in both directions), what kind
    > >> of
    > >> authentication you want, which profiles the rule applies to, and finally
    > >> the
    > >> rule's name.
    > >>
    > >> Note also this bit from the help file:
    > >>
    > >> Connection security rules determine only how authentication
    > >> takes place for allowed connections; they do not allow a
    > >> connection.
    > >> However, if you configure the connection security rule to require
    > >> authentication, the rule will deny the connection if authentication
    > >> fails. To allow a connection, you must create an inbound or
    > >> outbound firewall rule.
    > >>
    > >> So be sure that you also create appropriate firewall rules on both sides.
    > >> It
    > >> looks like you did that, so go back and check your IPsec rules. Use
    > >> server-to-server, not tunnel.
    > >>
    > >> --
    > >> Steve Riley
    > >> steve.riley@microsoft.com
    > >> http://blogs.technet.com/steriley
    > >> http://www.protectyourwindowsnetwork.com
    > >>
    > >>
    > >> "Tinghua" wrote in message
    > >> news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    > >> > In windows vista, I used the creating new rule wizard in connection
    > >> > security
    > >> > rule of windows firewall and advanced security to create a tunnel rule,
    > >> > if
    > >> > I
    > >> > don't configure any firwall rules, and if I trigger some outbound
    > >> > traffic,
    > >> > the traffic will just go throu without applying the IPsec policy. If I
    > >> > configure two filter rules in the inbound rules and outbound rules, one
    > >> > for
    > >> > inbound and the other for outbound and requie security on the two
    > >> > rules.
    > >> > the
    > >> > rules will block the traffic if I trigger traffic and there is no IPSec
    > >> > negotation can be triggered. Can someone help? How the firewall rules
    > >> > and
    > >> > IPSec rules connected?
    > >> > Thanks a lot!
    > >> >
    > >> > Tinghua
    > >>
    > >>

    >


  6. Re: how to configure IPsec tunnel rule in windows vista

    Glad to help out.

    Why do you need to test tunnel mode to a printer? If transport mode is
    working fine, that's what you should use. Tunnel mode between devices really
    isn't a supported scenario--we reserve that for gateway-to-gateway
    communications.


    --
    Steve Riley
    steve.riley@microsoft.com
    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "Tinghua" wrote in message
    news:39B4EE72-51C3-4725-8C7E-CA9B5F8039C1@microsoft.com...
    > Thanks. Steve. Your answer to my firewall rule and connection security
    > rule
    > is very helpful.
    > Regarding tunnel rule, I understand your point, the end to end tunnel
    > really
    > doesn't add much compared to transport mode when IPSec is between two
    > systems. But this is one thing we need to test between PC(vista) and
    > printer(device) in addition to transport mode. And I still need to figure
    > it
    > out how to do it in vista. FYI. I was able to configure tunnel in XP by
    > configuring two rules one for inbound and the other for outbound and it
    > worked.
    > Thanks!
    >
    > Tinghua
    >
    > "Steve Riley [MSFT]" wrote:
    >
    >> Alas, the term "IPsec tunnel" is so widely misused it's really hard to
    >> tell
    >> what the other device wants. What is the device? I suspect that it really
    >> wants a transport mode security association, even though they're using
    >> the
    >> word "tunnel."
    >>
    >> If you want to secure only specific traffic between two machines, you
    >> have
    >> to write firewall rule to describe that traffic. For instance, say you
    >> have
    >> a server called AlicesBox and you want to use IPsec to secure all inbound
    >> traffic to port 23456/tcp. First, you would create an inbound port rule,
    >> indicate TCP, specific port 23456. Then select "Allow the connection if
    >> it
    >> secure." Indicate whether or not you want the traffic encrypted. Then
    >> finish
    >> the wizard. After you do that, then you'd create the connection security
    >> rule.
    >>
    >> Note that, in this example, no other traffic will be permitted into
    >> AlicesBox. If you want to allow other traffic inbound without worrying
    >> about
    >> security, then you'd create another inbound rule, indicate TCP, and all
    >> local ports. Then select "Allow the connection." Rule processing in the
    >> firewall isn't by order, but by specificity. Inbound traffic to
    >> destination
    >> port 23456/tcp will trigger the first rule, all other traffic will
    >> trigger
    >> the second rule.
    >>
    >> --
    >> Steve Riley
    >> steve.riley@microsoft.com
    >> http://blogs.technet.com/steriley
    >> http://www.protectyourwindowsnetwork.com
    >>
    >>
    >> "Tinghua" wrote in message
    >> news:1484A081-85D9-45CD-81E0-C2A47DAACD50@microsoft.com...
    >> > Thanks. Steve. I was trying to set up an end to end tunnel, the other
    >> > divice
    >> > was capable to do IPsec tunneling. Some hint on this will be helpful.
    >> > Another queston: is that possaible to create an IPSec policy for some
    >> > specific protocols(e.g. TCP only) using connection security rule? it
    >> > looks
    >> > that the policy is for any to any protocols. Thanks a lot!
    >> >
    >> > Tinghua
    >> > "Steve Riley [MSFT]" wrote:
    >> >
    >> >> Are you really trying to create a _tunnel_ rule? That's actually not
    >> >> recommended if you simply want to secure traffic between two
    >> >> computers.
    >> >> It's
    >> >> long been a part of the vocabulary, but really there's no such thing
    >> >> as
    >> >> an
    >> >> "IPsec tunnel." Instead, there are two modes that IPsec policies can
    >> >> operate
    >> >> in: tunnel mode and transport mode. Tunnel mode is used pretty much
    >> >> only
    >> >> between gateway computers (like creating a VPN between two networks).
    >> >> Transport mode is used in all other cases.
    >> >>
    >> >> What you probably want to create is a server-to-server rule (yes, this
    >> >> isn't
    >> >> the best name; you can use this rule even if the two computers are
    >> >> client
    >> >> computers or if one is a client and the other is a server). In the
    >> >> wizard
    >> >> you'll indicate both ends of the connection (called a "security
    >> >> association," but the wizard doesn't use this term), where you want
    >> >> authentication to occur (probably require in both directions), what
    >> >> kind
    >> >> of
    >> >> authentication you want, which profiles the rule applies to, and
    >> >> finally
    >> >> the
    >> >> rule's name.
    >> >>
    >> >> Note also this bit from the help file:
    >> >>
    >> >> Connection security rules determine only how authentication
    >> >> takes place for allowed connections; they do not allow a
    >> >> connection.
    >> >> However, if you configure the connection security rule to
    >> >> require
    >> >> authentication, the rule will deny the connection if
    >> >> authentication
    >> >> fails. To allow a connection, you must create an inbound or
    >> >> outbound firewall rule.
    >> >>
    >> >> So be sure that you also create appropriate firewall rules on both
    >> >> sides.
    >> >> It
    >> >> looks like you did that, so go back and check your IPsec rules. Use
    >> >> server-to-server, not tunnel.
    >> >>
    >> >> --
    >> >> Steve Riley
    >> >> steve.riley@microsoft.com
    >> >> http://blogs.technet.com/steriley
    >> >> http://www.protectyourwindowsnetwork.com
    >> >>
    >> >>
    >> >> "Tinghua" wrote in message
    >> >> news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    >> >> > In windows vista, I used the creating new rule wizard in connection
    >> >> > security
    >> >> > rule of windows firewall and advanced security to create a tunnel
    >> >> > rule,
    >> >> > if
    >> >> > I
    >> >> > don't configure any firwall rules, and if I trigger some outbound
    >> >> > traffic,
    >> >> > the traffic will just go throu without applying the IPsec policy. If
    >> >> > I
    >> >> > configure two filter rules in the inbound rules and outbound rules,
    >> >> > one
    >> >> > for
    >> >> > inbound and the other for outbound and requie security on the two
    >> >> > rules.
    >> >> > the
    >> >> > rules will block the traffic if I trigger traffic and there is no
    >> >> > IPSec
    >> >> > negotation can be triggered. Can someone help? How the firewall
    >> >> > rules
    >> >> > and
    >> >> > IPSec rules connected?
    >> >> > Thanks a lot!
    >> >> >
    >> >> > Tinghua
    >> >>
    >> >>

    >>


  7. Re: how to configure IPsec tunnel rule in windows vista

    I see, end to end tunnel is not a supported scenario. Thanks a lot for your
    help!

    Tinghua
    "Steve Riley [MSFT]" wrote:

    > Glad to help out.
    >
    > Why do you need to test tunnel mode to a printer? If transport mode is
    > working fine, that's what you should use. Tunnel mode between devices really
    > isn't a supported scenario--we reserve that for gateway-to-gateway
    > communications.
    >
    >
    > --
    > Steve Riley
    > steve.riley@microsoft.com
    > http://blogs.technet.com/steriley
    > http://www.protectyourwindowsnetwork.com
    >
    >
    > "Tinghua" wrote in message
    > news:39B4EE72-51C3-4725-8C7E-CA9B5F8039C1@microsoft.com...
    > > Thanks. Steve. Your answer to my firewall rule and connection security
    > > rule
    > > is very helpful.
    > > Regarding tunnel rule, I understand your point, the end to end tunnel
    > > really
    > > doesn't add much compared to transport mode when IPSec is between two
    > > systems. But this is one thing we need to test between PC(vista) and
    > > printer(device) in addition to transport mode. And I still need to figure
    > > it
    > > out how to do it in vista. FYI. I was able to configure tunnel in XP by
    > > configuring two rules one for inbound and the other for outbound and it
    > > worked.
    > > Thanks!
    > >
    > > Tinghua
    > >
    > > "Steve Riley [MSFT]" wrote:
    > >
    > >> Alas, the term "IPsec tunnel" is so widely misused it's really hard to
    > >> tell
    > >> what the other device wants. What is the device? I suspect that it really
    > >> wants a transport mode security association, even though they're using
    > >> the
    > >> word "tunnel."
    > >>
    > >> If you want to secure only specific traffic between two machines, you
    > >> have
    > >> to write firewall rule to describe that traffic. For instance, say you
    > >> have
    > >> a server called AlicesBox and you want to use IPsec to secure all inbound
    > >> traffic to port 23456/tcp. First, you would create an inbound port rule,
    > >> indicate TCP, specific port 23456. Then select "Allow the connection if
    > >> it
    > >> secure." Indicate whether or not you want the traffic encrypted. Then
    > >> finish
    > >> the wizard. After you do that, then you'd create the connection security
    > >> rule.
    > >>
    > >> Note that, in this example, no other traffic will be permitted into
    > >> AlicesBox. If you want to allow other traffic inbound without worrying
    > >> about
    > >> security, then you'd create another inbound rule, indicate TCP, and all
    > >> local ports. Then select "Allow the connection." Rule processing in the
    > >> firewall isn't by order, but by specificity. Inbound traffic to
    > >> destination
    > >> port 23456/tcp will trigger the first rule, all other traffic will
    > >> trigger
    > >> the second rule.
    > >>
    > >> --
    > >> Steve Riley
    > >> steve.riley@microsoft.com
    > >> http://blogs.technet.com/steriley
    > >> http://www.protectyourwindowsnetwork.com
    > >>
    > >>
    > >> "Tinghua" wrote in message
    > >> news:1484A081-85D9-45CD-81E0-C2A47DAACD50@microsoft.com...
    > >> > Thanks. Steve. I was trying to set up an end to end tunnel, the other
    > >> > divice
    > >> > was capable to do IPsec tunneling. Some hint on this will be helpful.
    > >> > Another queston: is that possaible to create an IPSec policy for some
    > >> > specific protocols(e.g. TCP only) using connection security rule? it
    > >> > looks
    > >> > that the policy is for any to any protocols. Thanks a lot!
    > >> >
    > >> > Tinghua
    > >> > "Steve Riley [MSFT]" wrote:
    > >> >
    > >> >> Are you really trying to create a _tunnel_ rule? That's actually not
    > >> >> recommended if you simply want to secure traffic between two
    > >> >> computers.
    > >> >> It's
    > >> >> long been a part of the vocabulary, but really there's no such thing
    > >> >> as
    > >> >> an
    > >> >> "IPsec tunnel." Instead, there are two modes that IPsec policies can
    > >> >> operate
    > >> >> in: tunnel mode and transport mode. Tunnel mode is used pretty much
    > >> >> only
    > >> >> between gateway computers (like creating a VPN between two networks).
    > >> >> Transport mode is used in all other cases.
    > >> >>
    > >> >> What you probably want to create is a server-to-server rule (yes, this
    > >> >> isn't
    > >> >> the best name; you can use this rule even if the two computers are
    > >> >> client
    > >> >> computers or if one is a client and the other is a server). In the
    > >> >> wizard
    > >> >> you'll indicate both ends of the connection (called a "security
    > >> >> association," but the wizard doesn't use this term), where you want
    > >> >> authentication to occur (probably require in both directions), what
    > >> >> kind
    > >> >> of
    > >> >> authentication you want, which profiles the rule applies to, and
    > >> >> finally
    > >> >> the
    > >> >> rule's name.
    > >> >>
    > >> >> Note also this bit from the help file:
    > >> >>
    > >> >> Connection security rules determine only how authentication
    > >> >> takes place for allowed connections; they do not allow a
    > >> >> connection.
    > >> >> However, if you configure the connection security rule to
    > >> >> require
    > >> >> authentication, the rule will deny the connection if
    > >> >> authentication
    > >> >> fails. To allow a connection, you must create an inbound or
    > >> >> outbound firewall rule.
    > >> >>
    > >> >> So be sure that you also create appropriate firewall rules on both
    > >> >> sides.
    > >> >> It
    > >> >> looks like you did that, so go back and check your IPsec rules. Use
    > >> >> server-to-server, not tunnel.
    > >> >>
    > >> >> --
    > >> >> Steve Riley
    > >> >> steve.riley@microsoft.com
    > >> >> http://blogs.technet.com/steriley
    > >> >> http://www.protectyourwindowsnetwork.com
    > >> >>
    > >> >>
    > >> >> "Tinghua" wrote in message
    > >> >> news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    > >> >> > In windows vista, I used the creating new rule wizard in connection
    > >> >> > security
    > >> >> > rule of windows firewall and advanced security to create a tunnel
    > >> >> > rule,
    > >> >> > if
    > >> >> > I
    > >> >> > don't configure any firwall rules, and if I trigger some outbound
    > >> >> > traffic,
    > >> >> > the traffic will just go throu without applying the IPsec policy. If
    > >> >> > I
    > >> >> > configure two filter rules in the inbound rules and outbound rules,
    > >> >> > one
    > >> >> > for
    > >> >> > inbound and the other for outbound and requie security on the two
    > >> >> > rules.
    > >> >> > the
    > >> >> > rules will block the traffic if I trigger traffic and there is no
    > >> >> > IPSec
    > >> >> > negotation can be triggered. Can someone help? How the firewall
    > >> >> > rules
    > >> >> > and
    > >> >> > IPSec rules connected?
    > >> >> > Thanks a lot!
    > >> >> >
    > >> >> > Tinghua
    > >> >>
    > >> >>
    > >>

    >


  8. Re: how to configure IPsec tunnel rule in windows vista

    "End-to-end" is not used when talking about IPsec. Instead, the terminology
    is very precise. "Transport mode" describes a security association between
    two peers, established by the peers. You can perhaps think of this as
    "end-to-end."

    "Tunnel mode" is only for gateway-to-gateway, so "end-to-end" wouldn't make
    sense here. The individual computers talking to each other (on separate
    networks) don't know that their conversation is being encapsulated inside
    IPsec by the gateway/VPN servers.

    The important thing I'd like you to learn is that you should always say
    "transport mode" or "tunnel mode" if you want to be precise. I know this
    seems to go against everything you've heard and maybe even read. But one
    thing I've learned in years of teaching and writing -- only by being precise
    with our terms can we be sure that there's no misunderstanding.

    Glad to have been of assistance to you, and thanks for indulging me a little
    bit here

    --
    Steve Riley
    steve.riley@microsoft.com
    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "Tinghua" wrote in message
    news:BDFE91D0-FA28-483C-82F0-EA0AFAF2E789@microsoft.com...
    > I see, end to end tunnel is not a supported scenario. Thanks a lot for
    > your
    > help!
    >
    > Tinghua
    > "Steve Riley [MSFT]" wrote:
    >
    >> Glad to help out.
    >>
    >> Why do you need to test tunnel mode to a printer? If transport mode is
    >> working fine, that's what you should use. Tunnel mode between devices
    >> really
    >> isn't a supported scenario--we reserve that for gateway-to-gateway
    >> communications.
    >>
    >>
    >> --
    >> Steve Riley
    >> steve.riley@microsoft.com
    >> http://blogs.technet.com/steriley
    >> http://www.protectyourwindowsnetwork.com
    >>
    >>
    >> "Tinghua" wrote in message
    >> news:39B4EE72-51C3-4725-8C7E-CA9B5F8039C1@microsoft.com...
    >> > Thanks. Steve. Your answer to my firewall rule and connection security
    >> > rule
    >> > is very helpful.
    >> > Regarding tunnel rule, I understand your point, the end to end tunnel
    >> > really
    >> > doesn't add much compared to transport mode when IPSec is between two
    >> > systems. But this is one thing we need to test between PC(vista) and
    >> > printer(device) in addition to transport mode. And I still need to
    >> > figure
    >> > it
    >> > out how to do it in vista. FYI. I was able to configure tunnel in XP by
    >> > configuring two rules one for inbound and the other for outbound and it
    >> > worked.
    >> > Thanks!
    >> >
    >> > Tinghua
    >> >
    >> > "Steve Riley [MSFT]" wrote:
    >> >
    >> >> Alas, the term "IPsec tunnel" is so widely misused it's really hard to
    >> >> tell
    >> >> what the other device wants. What is the device? I suspect that it
    >> >> really
    >> >> wants a transport mode security association, even though they're using
    >> >> the
    >> >> word "tunnel."
    >> >>
    >> >> If you want to secure only specific traffic between two machines, you
    >> >> have
    >> >> to write firewall rule to describe that traffic. For instance, say you
    >> >> have
    >> >> a server called AlicesBox and you want to use IPsec to secure all
    >> >> inbound
    >> >> traffic to port 23456/tcp. First, you would create an inbound port
    >> >> rule,
    >> >> indicate TCP, specific port 23456. Then select "Allow the connection
    >> >> if
    >> >> it
    >> >> secure." Indicate whether or not you want the traffic encrypted. Then
    >> >> finish
    >> >> the wizard. After you do that, then you'd create the connection
    >> >> security
    >> >> rule.
    >> >>
    >> >> Note that, in this example, no other traffic will be permitted into
    >> >> AlicesBox. If you want to allow other traffic inbound without worrying
    >> >> about
    >> >> security, then you'd create another inbound rule, indicate TCP, and
    >> >> all
    >> >> local ports. Then select "Allow the connection." Rule processing in
    >> >> the
    >> >> firewall isn't by order, but by specificity. Inbound traffic to
    >> >> destination
    >> >> port 23456/tcp will trigger the first rule, all other traffic will
    >> >> trigger
    >> >> the second rule.
    >> >>
    >> >> --
    >> >> Steve Riley
    >> >> steve.riley@microsoft.com
    >> >> http://blogs.technet.com/steriley
    >> >> http://www.protectyourwindowsnetwork.com
    >> >>
    >> >>
    >> >> "Tinghua" wrote in message
    >> >> news:1484A081-85D9-45CD-81E0-C2A47DAACD50@microsoft.com...
    >> >> > Thanks. Steve. I was trying to set up an end to end tunnel, the
    >> >> > other
    >> >> > divice
    >> >> > was capable to do IPsec tunneling. Some hint on this will be
    >> >> > helpful.
    >> >> > Another queston: is that possaible to create an IPSec policy for
    >> >> > some
    >> >> > specific protocols(e.g. TCP only) using connection security rule? it
    >> >> > looks
    >> >> > that the policy is for any to any protocols. Thanks a lot!
    >> >> >
    >> >> > Tinghua
    >> >> > "Steve Riley [MSFT]" wrote:
    >> >> >
    >> >> >> Are you really trying to create a _tunnel_ rule? That's actually
    >> >> >> not
    >> >> >> recommended if you simply want to secure traffic between two
    >> >> >> computers.
    >> >> >> It's
    >> >> >> long been a part of the vocabulary, but really there's no such
    >> >> >> thing
    >> >> >> as
    >> >> >> an
    >> >> >> "IPsec tunnel." Instead, there are two modes that IPsec policies
    >> >> >> can
    >> >> >> operate
    >> >> >> in: tunnel mode and transport mode. Tunnel mode is used pretty much
    >> >> >> only
    >> >> >> between gateway computers (like creating a VPN between two
    >> >> >> networks).
    >> >> >> Transport mode is used in all other cases.
    >> >> >>
    >> >> >> What you probably want to create is a server-to-server rule (yes,
    >> >> >> this
    >> >> >> isn't
    >> >> >> the best name; you can use this rule even if the two computers are
    >> >> >> client
    >> >> >> computers or if one is a client and the other is a server). In the
    >> >> >> wizard
    >> >> >> you'll indicate both ends of the connection (called a "security
    >> >> >> association," but the wizard doesn't use this term), where you want
    >> >> >> authentication to occur (probably require in both directions), what
    >> >> >> kind
    >> >> >> of
    >> >> >> authentication you want, which profiles the rule applies to, and
    >> >> >> finally
    >> >> >> the
    >> >> >> rule's name.
    >> >> >>
    >> >> >> Note also this bit from the help file:
    >> >> >>
    >> >> >> Connection security rules determine only how authentication
    >> >> >> takes place for allowed connections; they do not allow a
    >> >> >> connection.
    >> >> >> However, if you configure the connection security rule to
    >> >> >> require
    >> >> >> authentication, the rule will deny the connection if
    >> >> >> authentication
    >> >> >> fails. To allow a connection, you must create an inbound or
    >> >> >> outbound firewall rule.
    >> >> >>
    >> >> >> So be sure that you also create appropriate firewall rules on both
    >> >> >> sides.
    >> >> >> It
    >> >> >> looks like you did that, so go back and check your IPsec rules. Use
    >> >> >> server-to-server, not tunnel.
    >> >> >>
    >> >> >> --
    >> >> >> Steve Riley
    >> >> >> steve.riley@microsoft.com
    >> >> >> http://blogs.technet.com/steriley
    >> >> >> http://www.protectyourwindowsnetwork.com
    >> >> >>
    >> >> >>
    >> >> >> "Tinghua" wrote in message
    >> >> >> news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    >> >> >> > In windows vista, I used the creating new rule wizard in
    >> >> >> > connection
    >> >> >> > security
    >> >> >> > rule of windows firewall and advanced security to create a tunnel
    >> >> >> > rule,
    >> >> >> > if
    >> >> >> > I
    >> >> >> > don't configure any firwall rules, and if I trigger some outbound
    >> >> >> > traffic,
    >> >> >> > the traffic will just go throu without applying the IPsec policy.
    >> >> >> > If
    >> >> >> > I
    >> >> >> > configure two filter rules in the inbound rules and outbound
    >> >> >> > rules,
    >> >> >> > one
    >> >> >> > for
    >> >> >> > inbound and the other for outbound and requie security on the two
    >> >> >> > rules.
    >> >> >> > the
    >> >> >> > rules will block the traffic if I trigger traffic and there is no
    >> >> >> > IPSec
    >> >> >> > negotation can be triggered. Can someone help? How the firewall
    >> >> >> > rules
    >> >> >> > and
    >> >> >> > IPSec rules connected?
    >> >> >> > Thanks a lot!
    >> >> >> >
    >> >> >> > Tinghua
    >> >> >>
    >> >> >>
    >> >>

    >>


  9. Re: how to configure IPsec tunnel rule in windows vista

    Hi Steve,

    I'd like to use a Vista IPSec connection security rule between a Vista
    client and an IPSec firewall for when the client is working remotely.
    The firewall supports tunnel mode connections from a single node but
    the Vista client appears to need a specific local tunnel end-point to
    be specified - the problem is that this may change as the client moves
    between different remote networks - home, mobile etc. Is there any
    way to get Vista to use the current local IP address as tunnel
    endpoint parameter - or a text string (username) as implemented by
    many firewalls?

    Thanks,
    Edmund



    On 1 Oct, 21:54, "Steve Riley [MSFT]"
    wrote:
    > Are you really trying to create a _tunnel_ rule? That's actually not
    > recommended if you simply want to secure traffic between two computers. It's
    > long been a part of the vocabulary, but really there's no such thing as an
    > "IPsectunnel." Instead, there are two modes thatIPsecpolicies can operate
    > in:tunnelmode and transport mode.Tunnelmode is used pretty much only
    > between gateway computers (like creating a VPN between two networks).
    > Transport mode is used in all other cases.
    >
    > What you probably want to create is a server-to-server rule (yes, this isn't
    > the best name; you can use this rule even if the two computers areclient
    > computers or if one is aclientand the other is a server). In the wizard
    > you'll indicate both ends of the connection (called a "security
    > association," but the wizard doesn't use this term), where you want
    > authentication to occur (probably require in both directions), what kind of
    > authentication you want, which profiles the rule applies to, and finally the
    > rule's name.
    >
    > Note also this bit from the help file:
    >
    > Connection security rules determine only how authentication
    > takes place for allowed connections; they do not allow a connection.
    > However, if you configure the connection security rule to require
    > authentication, the rule will deny the connection if authentication
    > fails. To allow a connection, you must create an inbound or
    > outbound firewall rule.
    >
    > So be sure that you also create appropriate firewall rules on both sides. It
    > looks like you did that, so go back and check yourIPsecrules. Use
    > server-to-server, nottunnel.
    >
    > --
    > Steve Riley
    > steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork.com
    >
    > "Tinghua" wrote in message
    >
    > news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    >
    >
    >
    > > In windowsvista, I used the creating new rule wizard in connection
    > > security
    > > rule of windows firewall and advanced security to create atunnelrule, if
    > > I
    > > don't configure any firwall rules, and if I trigger some outbound traffic,
    > > the traffic will just go throu without applying theIPsecpolicy. If I
    > > configure two filter rules in the inbound rules and outbound rules, one
    > > for
    > > inbound and the other for outbound and requie security on the two rules.
    > > the
    > > rules will block the traffic if I trigger traffic and there is noIPSec
    > > negotation can be triggered. Can someone help? How the firewall rules and
    > >IPSecrules connected?
    > > Thanks a lot!

    >
    > > Tinghua- Hide quoted text -

    >
    > - Show quoted text -




  10. Re: how to configure IPsec tunnel rule in windows vista

    This isn't supported in Windows Vista. Please contact me via email, I'd like
    to discuss it with you more.

    --
    Steve Riley
    steve.riley@microsoft.com
    http://blogs.technet.com/steriley
    http://www.protectyourwindowsnetwork.com


    "olt" wrote in message
    news:1193915374.196675.195660@d55g2000hsg.googlegr oups.com...
    > Hi Steve,
    >
    > I'd like to use a Vista IPSec connection security rule between a Vista
    > client and an IPSec firewall for when the client is working remotely.
    > The firewall supports tunnel mode connections from a single node but
    > the Vista client appears to need a specific local tunnel end-point to
    > be specified - the problem is that this may change as the client moves
    > between different remote networks - home, mobile etc. Is there any
    > way to get Vista to use the current local IP address as tunnel
    > endpoint parameter - or a text string (username) as implemented by
    > many firewalls?
    >
    > Thanks,
    > Edmund
    >
    >
    >
    > On 1 Oct, 21:54, "Steve Riley [MSFT]"
    > wrote:
    >> Are you really trying to create a _tunnel_ rule? That's actually not
    >> recommended if you simply want to secure traffic between two computers.
    >> It's
    >> long been a part of the vocabulary, but really there's no such thing as
    >> an
    >> "IPsectunnel." Instead, there are two modes thatIPsecpolicies can operate
    >> in:tunnelmode and transport mode.Tunnelmode is used pretty much only
    >> between gateway computers (like creating a VPN between two networks).
    >> Transport mode is used in all other cases.
    >>
    >> What you probably want to create is a server-to-server rule (yes, this
    >> isn't
    >> the best name; you can use this rule even if the two computers areclient
    >> computers or if one is aclientand the other is a server). In the wizard
    >> you'll indicate both ends of the connection (called a "security
    >> association," but the wizard doesn't use this term), where you want
    >> authentication to occur (probably require in both directions), what kind
    >> of
    >> authentication you want, which profiles the rule applies to, and finally
    >> the
    >> rule's name.
    >>
    >> Note also this bit from the help file:
    >>
    >> Connection security rules determine only how authentication
    >> takes place for allowed connections; they do not allow a
    >> connection.
    >> However, if you configure the connection security rule to require
    >> authentication, the rule will deny the connection if authentication
    >> fails. To allow a connection, you must create an inbound or
    >> outbound firewall rule.
    >>
    >> So be sure that you also create appropriate firewall rules on both sides.
    >> It
    >> looks like you did that, so go back and check yourIPsecrules. Use
    >> server-to-server, nottunnel.
    >>
    >> --
    >> Steve Riley
    >> steve.ri...@microsoft.comhttp://blogs.technet.com/sterileyhttp://www.protectyourwindowsnetwork.com
    >>
    >> "Tinghua" wrote in message
    >>
    >> news:2F42F92A-6DF1-44AC-9E8B-CD565BBF9523@microsoft.com...
    >>
    >>
    >>
    >> > In windowsvista, I used the creating new rule wizard in connection
    >> > security
    >> > rule of windows firewall and advanced security to create atunnelrule,
    >> > if
    >> > I
    >> > don't configure any firwall rules, and if I trigger some outbound
    >> > traffic,
    >> > the traffic will just go throu without applying theIPsecpolicy. If I
    >> > configure two filter rules in the inbound rules and outbound rules, one
    >> > for
    >> > inbound and the other for outbound and requie security on the two
    >> > rules.
    >> > the
    >> > rules will block the traffic if I trigger traffic and there is noIPSec
    >> > negotation can be triggered. Can someone help? How the firewall rules
    >> > and
    >> >IPSecrules connected?
    >> > Thanks a lot!

    >>
    >> > Tinghua- Hide quoted text -

    >>
    >> - Show quoted text -

    >
    >


+ Reply to Thread