Jump to content

[Question ] Qns on Built-in IPSEC capability in WIndows

walnut

By walnut
in Windows XP

 Share

Recommended Posts

walnut

walnut

Posted
Posted

Hi there. :hello:

I had set up a test lab comprising of 2 XP workstations.

A router was placed in the middle, and the nodes are in different netws.

I had tweaked the Local Group Policy Security settings to enable IPSEC for

1. All ip traffic

2. Any source to any destination

IPSEC negotiation was successful.

I tried the following traffic:

1. ICMP Ping

2. FTP file transfer

I then run ethereal on a 3rd PC to sniff the traffic.

Observation from ethereal captures:

1. The payload is encrypted using ESP

2. Source and Dest ip addresses are in the CLEAR.

Questions: :huh:

1. If ESP mode is used, why is the source and dest ip addr still in the CLEAR? ESP mode is supposed to encrypted the original ip header, and replace with a new header.

2. Are there any configuration options for windows built-in IPSEC? Eg. AH or ESP?

Title edited -- Please, use [TAGS] in your topic's title.

Please follow XP Forum Rules from now on.

--Sonic


chilifrei64

chilifrei64

Posted
Posted
2. Are there any configuration options for windows built-in IPSEC? Eg. AH or ESP?

.... didnt you just configure this using Local Group Policy...

anyways

ESP work in 2 different modes Tunnel and transport modes.

In transport mode, it leaves the original IP header and adds places the ESP header directly after it in the packet

In Tunnel mode, it actually takes the packet and places it directly inside of another packet. This way you actually end up with 2 IP addresses. 1 for the tunnel endpoint and 1 for the origination. So, most likely you have

this configured in transport mode. These can be configured by adding an IP Security rules within the policy to specify your IPSec endpoints.

There are built in configurations to this inside of windows

you can configure ESP's encryption method with either DES or 3DES and verify its integrity with either SHA1 or MD5

You can also configure AH integrity checking with SHA1 and MD5

walnut

walnut

Posted
  • Author
Posted

Thanks for the replies.

pardon me if i'm wrong. The settings available for specification of tunnel endpoints does not enable tunnel mode.

I had tried to look for the setting for [tunnel/transport] setting option in the IPSEC policies but i could not find it.

there is only options for the kind of algo[AH, ESP, DES, SHA1 etc... ] used for encryption and integrity.

If this is true, does this mean that windows built-in IPSEC capability can only facilitate transport mode?

What abt setting up a VPN for RRAS?

Can a tunnel mode VPN be configured for RRAS?

  • 5 weeks later...
MrBlack

MrBlack

Posted
Posted

Hello,

I am having this problem too. Where do I specify that I want to use tunnel mode?

As it is right now, I cannot get Windows to send out anything to the IP specified in the tunnel-endpoint.

Thanks in advance!

Regards,

Tony

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...