Windows XP and Vista IPSec VPN Policy

8/6/2019 Windows XP and Vista IPSec VPN Policy

http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 1/15

Windows XP / Vista IPSec VPN policy

Johan Engdahl 2007 page 1

Windows XP / Vista

IPSec VPN policy configuration

IndexPreface ..................................................................................................................................................... 2

Building an IPSec policy ........................................................................................................................... 3

Creating Filter Lists .................................................................................................................................. 5

Defining Filter Action and negotiation security ...................................................................................... 7

Defining Authentication Methods ........................................................................................................... 9

Defining Tunnel Settings and Connection Type .................................................................................... 11

A short word about the other side of the tunnel .................................................................................. 13

Testing the VPN and looking at the log ................................................................................................. 14

Conclusion ............................................................................................................................................. 15





Preface

This document shows how to establish an IPSec VPN between a Windows XP

computer exposed to the Internet and a Checkpoint Firewall-1 / VPN-1 NG AI R55

using Security Policy snap-in for MMC and utilizing the encryption features and hash

algorithms of the XP IP-stack.

The environment consists of two network segments like:

Network A (AD_2003 Server)

IP: 192.168.1.0

Mask: 255.255.255.0

Router: 192.168.1.254

Network B (XP_IPSec_LABB Workstation)

IP: 172.16.32.9

Mask: 255.255.255.252Router: 172.16.32.10





Building an IPSec policy

We´ll be using the built-in Security Policy snap-in to set up the preferences for the

VPN and configure the settings such as terminating IP addresses, bi-directional

traffic, allowed protocols and ports, Pre-Shared keys and so on as will be explained

further down the road.

Start secpol.msc from the START/RUN facility. Right click IP Security Policies on

Local Computer choosing Create IP Security Policy

Select a suitable name for the policy and click Next…





Here you´ll deselect Activate the default response rule and click Next…

Now it´s time to define the IP filter lists (we´ll be creating two of them. They´ll be

exactly the same except from the terminating IP addresses) by choosing Add to get

the New Rule Properties window.





Creating Filter Lists

From within this window click Add…

In this example the first filter list will be called XP_to_Checkpoint_FW (the opposite

will be called Checkpoint_FW_to_XP). Click Add to enter Filter Properties.

Make sure to enter correct IP information depending on source respective destination

addresses.





Use default settings or change according to your needs. We´ll be using ANY here.

Click OK until the window New Rule Properties is shown again and create a new

Filter List for the opposite direction.

Remember to get the IP information correct.





Defining Filter Action and negotiation security

Next step is to define the Filter Action and negotiation security.

Choose Require Security and click Edit.





Be sure to enable Session key perfect forward secrecy (PFS). Here you may also

change the preset security methods or define your own ones.

Click OK twice and enter the Authentication Methods tab





Defining Authentication Methods

Naturally, the Authentication method is preset to Kerberos, but we´ll be using Pre-

Shared key.

Highlight Kerberos and click Edit and define Use this string (preshared key) and enter

appropriate string to use (remember that this string much match between the

terminating endpoints).





Click OK and notice the method being changed.





Defining Tunnel Settings and Connection Type

The last two remaining things to define is the terminating tunnel endpoint this Filter

Rule will use and that should be the IP address of the remote gateway and define

how the Filter Rule should apply.





When this is done then yet another Filter Rule must be created defining the opposite

side. Remember to use exactly the same settings except the IP address of the

terminating tunnel endpoint which in this case will be the Windows XP client.

Now make sure to click OK all the way back to Local Security Settings window. Right

click the new policy and choose Assign to enable the new policy.





A short word about the other side of the tunnel

As this document will not cover basic VPN setup I´ll only show the settings I used to

get this show on the road.





Testing the VPN and looking at the log

Pinging from the Windows XP machine to the 2003 AD server on the other side

brings the IP Security Policy up and starts the negotiation with the remote gateway.

The logviewer (Smartview Tracker) shows us what´s happening.





Conclusion

All I can say is that I´m extremely pleased with the functionality. Although the

screenshots above are taken from Windows XP, I can assure you that this works just

as fine with Windows Vista.

The IP-Stack in Windows XP and improved IP-Stack in Windows Vista makes itsmooth to have several policies on the workstation where the different vendor VPN

clients used to interfere with each other or making it completely impossible to

combine certain clients at all.

Documents

Windows XP and Vista IPSec VPN Policy