Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

November 2002

Copyright © 2002 SofaWare Technologies Inc, All Rights Reserved. Reproduction, adaptation, or translation with prior written permission is prohibited except as allowed under copyright laws.

Introduction

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 1

Introduction This document explains how to configure Microsoft Windows 2000, Windows 2000 Server, and Windows XP IPsec for the Site-to-Site VPN solutions.

Figure 1 shows a sample implementation of this solution, in which a Safe@Office appliance is connected to a Windows machine in a Site-to-Site VPN.

Figure 1: Safe@Office to Windows 2000/XP IPsec (Site-to-Site VPN)

Scenarios

This document provides solutions for the following four scenarios:

Windows Gateway to Safe@Office in Unrestricted Mode

Traffic is encrypted between the gateways’ subnets (Network A to Network B).

Windows Gateway to Safe@Office in Restricted Mode

Traffic is encrypted between the network behind the Windows gateway and the Safe@Office WAN IP address (Network A to Safe@Office external IP).

Windows Host to Safe@Office in Unrestricted Mode

Traffic is encrypted between the Windows host and the Safe@Office internal network (Windows machine to Network B).

Windows Host to Safe@Office in Restricted Mode

Traffic is encrypted between the Windows host and the Safe@Office WAN IP address (Windows machine to Safe@Office external IP).

mailto:Safe@Office

Configuring Windows 2000/XP

2 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

Note: For all the scenarios above, the configuration of the Windows machine is identical, except for the Filter Properties configuration. For further information, see pages 11 and 16.

Important: Both the Safe@ gateway and Windows machine must be configured with a static IP address. DHCP mode in the Windows machine may not work properly.

Contacting Technical Support

To contact technical support, send an email to: [email protected]


Note: The screens shown below appear in both Windows 2000 and XP.

Note: The IP addresses in Figure 1, page 1, appear in the screens below as an example.

Important: Additional security software installed on the Windows machine, (for example Check Point SecuRemote), may prevent the tunnel from working properly.

To configure Windows 2000/XP for Site-to-Site VPN

1. Create an IP security policy by doing the following:

a. Open the Windows Control Panel.

b. In the Administrative Tools menu, click Local Security Policy.

The Local Security Settings window opens.



c. Double-click on IP Security Policies On Local Machine.

The IP security policies on the local machine are displayed in the right-hand pane.



d. In the Action menu, click Create IP Security Policy.

The IP Security Policy Wizard opens with the Welcome to the IP Security Policy wizard dialog box displayed.

e. Click Next.

The IP Security Policy Name dialog box appears.



f. In the Name field, enter the policy’s name. In the example above, the policy’s name is “New_Policy”.

g. Click Next.

The Requests for Secure Communication dialog box appears.

h. Clear the Activate the default response rule check box.

i. Click Next.

The Completing the IP Security Policy Wizard dialog box appears.



j. Clear the Edit properties check box.

k. Click Finish.

The new policy appears in the Local Security Settings window.

2. Double-click on the new policy.

The Properties dialog box appears, with the Rules tab displayed.



3. Clear the Use Add Wizard check box.

4. Click Add….

The New Rule Properties dialog box appears, with the IP Filter List tab displayed.



5. Create an A to B IP filter for the security policy, by doing the following:

a. Click Add.…

The IP Filter List dialog box appears.



b. In the Name field, type “A to B”.

c. Clear the Use Add Wizard check box.

d. Click Add.…

The Filter Properties dialog box appears, with the Addressing tab displayed.



e. Select one of the following filters:



Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode

Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode



f. Clear the Mirrored check box.

g. Click on the Description tab.

The Description tab is displayed.

h. If desired, in the Description area, type a description of the filter.

i. Click OK.

The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter appears in the IP Filter Lists area.



6. Create a B to A IP filter for the security policy, by doing the following:

a. Click Add.…

The IP Filter List dialog box appears.



b. In the Name field, type “B to A”.

c. Clear the Use Add Wizard check box.

d. Click Add.…

The Filter Properties dialog box appears, with the Addressing tab displayed.



e. Select one of the following filters:



Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode

Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode



f. Clear the Mirrored check box.

g. Click on the Description tab.

The Description tab is displayed.

h. If desired, in the Description area, type a description of the filter.

i. Click OK.

The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter appears in the IP Filter Lists area.

7. In the IP Filter Lists area, click A to B.



8. Set the filter action for the A to B IP filter, by doing the following:

a. Click the Filter Action tab.

The Filter Action tab is displayed.



b. Clear the Use Add Wizard check box.

c. Click Add….

The New Filter Action Properties dialog box appears, with the Security Methods tab displayed.



Do the following:

1) Click Negotiate Security.

2) Clear the Accept unsecured communications, but always respond using IPsec check box.

3) Clear the Allow unsecured communications with non IPsec-aware computer check box.

4) Click Add….

The New Security Method dialog box appears, with the Security Method tab displayed.



d. Click Custom.

e. Click Settings….

The Custom Security Method Settings dialog box appears.



Do the following:

1) Clear the Data and address integrity without encryption (AH) check box.

2) Select the Data integrity and encryption (ESP) check box.

3) From the Integrity Algorithm drop-down list, select SHA1.

4) From Encryption Algorithm drop-down list, select 3DES.

5) In the Session Key Settings area, clear all check boxes.

6) Click OK.

The New Filter Action Properties dialog box reappears, with the Security Methods tab displayed. The new security method is listed in the Security Method preference order area.



f. Click the General tab.

The General tab is displayed.



g. In the Name field, type Encrypt.

h. Click OK.

The New Rule Properties dialog box reappears, with the Filter Action tab displayed. The Encrypt action is listed in the Filter Actions area.



i. In the Filter Actions area, click Encrypt.



j. Click the Authentication Methods tab.

The Authentication Methods tab is displayed.



k. Click Add….

The New Authentication Method Properties dialog box appears, with the Authentication Method tab displayed.



Do the following:

1) Click Use this string to protect the key exchange (preshared key).

2) In the text box, type the preshared key.

Note: Use this preshared key as the Preshared Secret password, when you create the tunnel from the Safe@ gateway to the Windows machine.

3) Click OK.

The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed. The new authentication method (“Preshared Key”) is listed in the Authentication Method preference order area.



l. Select Kerberos.

m. Click Remove.

A confirmation message appears.

n. Click Yes.

The Kerberos method is deleted from the Authentication Method preference order area.



o. Click on the Tunnel Settings tab.

The Tunnel Settings tab is displayed.



p. Click The tunnel endpoint is specified by this IP Address.

q. In the text box, type the Safe@ gateway’s IP address.

r. Click on the Connection Type tab.

The Connection Type tab is displayed.



s. Click All network connections.

t. Click Close.



9. Set the filter action for the B to A IP filter, by doing the following:

a. Click Add….

The New Rule Properties dialog box appears, with the IP Filter List tab displayed.



b. In the IP Filter Lists area, click B to A.



c. Click the Filter Action tab.

The Filter Action tab is displayed.



d. In the Filter Actions area, click Encrypt.



e. Click the Authentication Methods tab.

The Authentication Methods tab is displayed.



f. Click Add….

The New Authentication Method Properties dialog box appears, with the Authentication Method tab displayed.



Do the following:

1) Click Use this string to protect the key exchange (preshared key).

2) In the text box, type the preshared key.

Note: Use this preshared key as the Preshared Secret password, when you create the tunnel from the Safe@ gateway to the Windows machine.

3) Click OK.

The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed. The new authentication method (“Preshared Key”) is listed in the Authentication Method preference order area.



g. Select Kerberos.

h. Click Remove.

A confirmation message appears.

i. Click Yes.

The Kerberos method is deleted from the Authentication Method preference order area.



j. Click on the Tunnel Settings tab.

The Tunnel Settings tab is displayed.



k. Click The tunnel endpoint is specified by this IP Address.

l. In the text box, type the Windows machine’s IP address.

m. Click on the Connection Type tab.

The Connection Type tab is displayed.



n. Click All network connections.

o. Click Close.

The Properties dialog box reappears, with the Rules tab displayed. The B to A filter and its action is listed in the IP Security Rules area.



10. Click Close.

The Local Area Settings window reappears.



11. Right-click on the new IP security policy.

Configuring the Safe@Office Appliance


12. From the pop-up menu, select Assign.

The new security policy is assigned to the network adapter.

Configuring the Safe@Office Appliance You must create the VPN profile in Safe@ Office. For instructions, see the SofaWare S-box Getting Started Guide, “Adding and Editing VPN Sites using SofaWare Safe@Office”, page 102.

Note: While creating the VPN profile, you must select Specify Configuration in the VPN Network Configuration dialog box. Topology download is not supported.

Note: In Restricted mode, in order to forward encrypted traffic to hosts behind the Safe@ gateway, you must define Virtual Server and/or Allow rules. You must select the VPN Only check box for those rules.

mailto:Safe@Office

Documents

Configuring Windows 2000/XP IPsec for Site-to-Site VPN