Joined: 09 Oct 2002
Location: Lausanne, Switzerland
|Posted: Fri Mar 10, 06 12:21 Post subject: How do I use the IPSec client of Windows 2000/XP?
|Configuring the Windows 2000/ XP IPSec client to connect to a secured network requires a detailed configuration. Fortunately there is an open-source software at http://vpn.ebootis.de/ that makes it extremely simple to build the IPSec policy. Simply follow the instructions at the site except use a preshared key instead of a PKI certificate (a PKI should also work but it has not been tested yet.)
NAT-Traversal is supported by default in XP SP2 only. Windows 2000, XP, and XP SP1 will need to get the NAT-Traversal patch from Microsoft's site http://support.microsoft.com/default.aspx?scid=kb;en-us;818043 . You need this functionality to be able to make a connection through a NAT firewall.
- Install Windows 2000 Service Pack 2. It is mandatory to install this service pack or at least a Windows 2000 high encryption package to support the 3DES encryption which is needed by the MultiCom (there is no service pack needed on Windows XP.) This will also support NAT Traversal if needed.
- Install the IPSec support from the Windows CDROM
* For XP - Ipeseccmd program. You have to install the Win XP Support tools. They reside on your Win XP CD in the directory \SUPPORT\TOOLS. Just start setup.exe in this directory. You have to select a Complete installation to get ipseccmd.
* For Win2k - ipesecpol.exe Tool Version 1.22. This tool is included in the Windows 2000 Resource Kit. You also find it here: http://www.microsoft.com/windows2000/techinfo/reskit/default.asp
- Make a directory which will contain all of the files, for example C:\VPN
- Copy the ipsecpol.exe Tool (Windows 2000) or ipseccmd.exe Tool (Windows XP) in this directory
- Unpack the VPN tool in this Directory "IPSEC.exe" (available from http://vpn.ebootis.de/ )
- Update "ipsec.conf" to reflect your configuration. You find the syntax here or use the sample below.
- Make an entry for your client on your MultiCom Server (see screenshots)
- After you established your internet Connection start the "ipsec.exe" tool in the ipsec directory. The tool now looks up your IP Configuration and sets up the IPSec Tunnel based on your Configuration. - That's it!!
- To delete the policies you may call "ipsec.exe -delete". In the same way "ipesec.exe -off" disables the policy
The ipsec.conf file that I used in both cases on the XP machine. You will need to change it to match the parameters of your own network.
Below is an example of a connection being made:
IPSec Version 2.2.0 (c) 2001-2003 Marcus Mueller
Getting running Config ...
Microsoft's Windows XP identified
Setting up IPSec ...
Deactivating old policy...
Removing old policy...
MyTunnel : 10.0.0.5
MyNet : 10.0.0.5/255.255.255.255
PartnerNet : 126.96.36.199/255.0.0.0
CA (ID) : Preshared Key ******************
PFS : n
Auto : start
Auth.Mode : MD5
Rekeying : 3600S/50000K
Pinging 188.8.131.52 with 32 bytes of data:
Negotiating IP Security.
Request timed out.
Request timed out.
Request timed out.
NOTE: the pings might not get through because of the XP SP2 firewall may be blocking them. You can access the other subnet using other services however like HTTP (or of course deactivate the XP SP2 firewall.).
If you have syslog activated on the MultiCom you will see the IPSec connection being built (or if there was an error in the configuration). Below is an example of this connection being made.
|pluto: packet from 184.108.40.206:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
pluto: packet from 220.127.116.11:500: ignoring Vendor ID payload [FRAGMENTATION]
pluto: packet from 18.104.22.168:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
pluto: packet from 22.214.171.124:500: ignoring Vendor ID payload [26244d38eddb61b3...]
pluto: "Roadwarriors" 126.96.36.199 #56: responding to Main Mode from unknown peer 188.8.131.52
pluto: "Roadwarriors" 184.108.40.206 #56: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
pluto: "Roadwarriors" 220.127.116.11 #56: Main mode peer ID is ID_FQDN: '@aran'
pluto: "Roadwarriors" 18.104.22.168 #56: deleting connection "Roadwarriors" instance with peer 22.214.171.124
pluto: | NAT-T: new mapping 126.96.36.199:500/4500)
pluto: "Roadwarriors" 188.8.131.52:4500 #56: sent MR3, ISAKMP SA established
pluto: "Roadwarriors" 184.108.40.206:4500 #57: responding to Quick Mode
pluto: "Roadwarriors" 220.127.116.11:4500 #57: IPsec SA established
Additional information can be found here:
Microsoft's Basic IPSec Troubleshooting page: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q257225 and
Screenshots of the MultiCom Configuration are available below.
- IPSec Global Panel Create the new connection, enter in the IP parameters of the local side of the network with the Remote Address is 0.0.0.0/0 and Remote Gateway is 0.0.0.0, and activate Allow Subnet. This allow any IP address to try and connect and as many connections as the purchased IPSec license allows. Be sure that both IPSec and the connection are enabled.
- IPSec Keys Panel Add the Preshared key, in this example "firewall" without any local/ remote IDs.
- IPSec IKE Panel Choose the Preshared Key and for simplicity deactivate Perfect Forward Security (PFS) and Dead Peer Detection (DPD).
- IPSec Options Panel Enable NAT-Traversal.
- NAT Interface Panel If the Securewall is active then be sure to redirect UDP 500, UDP 4500 & ESP traffic to internal. Otherwise this traffic will not be allowed to the Firewall.
- Monitor IPSec Details Panel After a connection is made the Monitor can show the status.
- Monitor IPSec Summary Panel If more than one IPSec connection is active all of them can be shown in the Summary Panel.
- Monitor Routes Panel For each successfully connected IPSec client there will be a new routing entry in the routing table to tell the Firewall to send that traffic to the IPSec service for encryption and delivery.