Build the simplest point-to-point IPSec tunnel

For network communication that requires encryption, there are many options, such as various VPN: L2TP/IPSec VPN, PPTP, SSL

The following is a simple point-to-point IPSec tunnel, which is so simple that it seems that the Internet is not very large... Maybe I am not quite right. L2TP and various VPN gateways have found a lot...

In this way, you can set the IP security policy of the Local Machine to perform security negotiation for specific network communication in and out of the local machine, and establish an IPSec tunnel to implement security communication.
The security negotiation process starts automatically after the rule is enabled.

The steps are as follows...

Reference: http://support.microsoft.com/kb/816514

----------------------

1. Two PCs (or virtual machines ):

PC1: OS: Windows 2003 Server, IP: 172.16.31.49
PC2: OS: Windows XP, IP: 172.16.31.50

2. Set the IP Security Policy for PC1

(1) Open Control Panel-Administrative Tools-local security policies-IP Security Policies

(2) Right-click, select "create IP Security Policy", name it "PC2PC", click Next, cancel "Activate default rule", and then click "Edit attribute" in the next step ", complete.

(3) In this case, there is a new IP Security Policy called PC2PC. (1 ). Double-click it to edit properties.

(4) add IP Security rules in "PC2PC attributes". First, remove "use add wizard" and click "add.

(5) The IP filtering list is displayed. By default, there are two IP filtering lists (others are previously added ). Click the Add button to create a filter rule named "PC1toPC2.

(6) define the network connection to be processed in "IP Filter list. We want to process the packages sent from PC1 to PC2. Therefore, first remove "use add wizard" and click Add. "IP Filter attribute" appears. On the address tab, select "My address" as the source address, select "a specific address" as the target address, and enter the PC2 address. In this case, remove the Image Selection box at the bottom. In addition, the protocol tab should set the Protocol to "arbitrary ". Because the IPSec tunnel does not support protocol or port-specific filters.

Steps 4, 5, 62:

 

(7) Click "OK" twice and return to "IP filtering list" in step (5). A new Filtering Rule named PC1toPC2 is displayed. 3.

 

(8) Select an operation after filtering the packages. Select the "filter operation" tab. If you do not use the wizard, click the Add button and select "Negotiate Security ", then add security measures and select integrity and encryption. Process 4. Of course, we can negotiate the name of this "filter operation". Here we write NeedIPSec.

 

(9) Then we need to set the authentication method, delete the built-in Kerberos, and add a pre-shared key method. 5. This verification method is relatively weak.

(10) In the last step, click "Tunnel Settings", select "specify this IP address at the end of the tunnel", and enter the destination of this filter rule, which is the address of PC2. Here is "172.16.31.50"

Finally, click "OK". Now there is a PC1toPC2 security rule in the "PC2PC" policy, 6.

 

Through the above steps, all packets sent from the local machine to PC2, that is, 172.16.30.50, must be processed through the "filter operation (NeedIPSec)" described above.

------------ Well, now we have finished 1/4 ------------------- very sweaty...

The above rule specifies the PC1 to PC2 packages, how should we proceed, how to verify.
Add the pc2topc1 security rule on pC1 according to the above method. The step is similar to the above, that is, create a Filter list in step (5, the entered source address and destination address must be reversed. Enter your own address for the tunnel settings in step (10) (because the processed package is sent to the local machine ).

Last: 7

 

------------ Okay, now we have finished 1/2 -------------------

Similarly, to achieve secure communication between the two parties, the rules of both parties must be corresponding.
The preceding IP Security rules must be added to pc2. the authentication methods and pre-shared keys must be the same.

Finally, right-click the pc2pc security policy on the two machines and select "Assign" to make it take effect. Then we can see a green dot in the bottom right corner of the icon, the description has taken effect.

Ping PC2 from pC1. The result is as follows:

 

As you can see, the first two packets will return "Negotiating IP Security", that is, negotiate the IP Security Policy.
After the negotiation policy is successful, it will be transmitted normally. After successful authentication, you do not need to negotiate again. (In some cases, we should negotiate again... For example, re-assigning a rule)

The packets captured by Wireshark can be seen that the negotiated packets and the encrypted ping packets.

 

In addition, there is a command line program that can replace this tedious graphical configuration method. In XP, it is called ipseccmd, which can be found on the installation disc or on the Internet.

Call... For this thing, I 've been tossing for a long time...