How to configure an IPSec tunnel in Windows 2000

 

How to Configure IPSec Tunneling in Windows 2000

The information in this article applies:

• Microsoft Windows 2000 Advanced Server
• Microsoft Windows 2000 Datacenter Server
• Microsoft Windows 2000 Server

SUMMARY

You can use IP Security (IPSec) in tunnel mode to encapsulate Internet Protocol (IP) packets and optionally encrypt them. the primary reason for using IPSec tunnel mode (sometimes referred to as "pure IPSec tunnel ") in Windows 2000 is for interoperability with third-party routers or router ways that do not support Layer 2 Tunneling Protocol (L2TP)/IPSec or PPTP Virtual Private Networking (VPN) tunneling technology.

MORE INFORMATION

Windows 2000 supports IPSec tunneling for situations where both tunnel endpoints have static IP addresses. this is primarily useful in gateway-to-gateway implementations, but may also work for specialized network security scenarios between a gateway/router and a server (like a Windows 2000 router routing traffic from its external interface to an internal Windows 2000-based computer securing the internal path by establishing an IPSec tunnel to the internal server providing services to the external clients ).

Windows 2000 IPSec tunneling is not supported for client remote access VPN use because the IETF IPSec RFCs do not currently provide a remote access solution in the Internet Key Exchange (IKE) protocol for client-to-gateway connections. the ietf rfc 2661 for Layer 2 Tunneling Protocol (L2TP) was specifically developed by Cisco, Microsoft, and others for the purpose of providing client remote access VPN connections. in Windows 2000, client remote access VPN connections are protected using an automatically generated IPSec policy that uses IPSec transport mode (not tunnel mode) when the L2TP tunnel type is selected.

Windows 2000 IPSec tunneling also does not support protocol and port-specific tunnels. while the Microsoft Management Console (MMC) IPSec Policy snap-in is very general and allows you to associate any type of filter with a tunnel, make sure you use only address information in the specification of a filter for a tunnel rule.

Details on how the IPSec and IKE protocols work can be found inMicrosoft Windows 2000 Resource KitAnd in the Windows 2000 IPSec end-to-end walkthrough. Information about where you can find these clients is already ded at the end of this article.

This article explains how to configure an IPSec tunnel on a Windows 2000 gateway. because the IPSec tunnel secures only traffic specified in the IPSec filters you configure, this article also describes how to configure filters in Routing and Remote Access Service (RRAS) to prevent traffic outside the tunnel from being stored ed or forwarded. this article outlines the following scenario to make it easy to follow the configuration steps:

   NetA - Windows 2000 gateway --- Internet --- third-party gateway - NetB        W2KintIP     W2KextIP         3rdExtIP               3rdIntIP 

NetAIs the network ID of the Windows 2000 gateway internal network.

W2KintIPIs the IP address assigned to the Windows 2000 gateway internal network adapter.

W2KextIPIs the IP address assigned to the Windows 2000 gateway external network adapter.

3 rdExtIPIs the IP address assigned to the third-party gateway external network adapter.

3 rdIntIPIs the IP address assigned to the third-party gateway internal network adapter.

NetBIs the network ID of the third-party gateway internal network.

The goal is for the Windows 2000 gateway and the third-party gateway to establish an IPSec tunnel when traffic from NetA needs to be routed to NetB or when traffic from NetB needs to be routed to NetA so traffic is routed over a secure session.

You need to configure an IPSec policy. you must build two filters; one to match packets going from NetA to NetB (tunnel 1), and one to match packets going from NetB to NetA (tunnel 2 ). you need to configure a filter action to specify how the tunnel shocould be secured (a tunnel is represented by a rule, so two rules are created ). how to Create IPSec PolicyTypically, a Windows 2000 gateway is not a member of a domain, so a local IPSec policy is created. if the Windows 2000 gateway is a member of a domain that has IPSec policy applied to all members of the domain by default, this prevents the Windows 2000 gateway from having a local IPSec policy. in this case, you can create an Organizational Unit (OU) in Active Directory, make the Windows 2000 gateway a member of this OU, and assign the IPSec policy to the Group Policy Object (GPO) of the OU. for more information, refer to the "Assigning IPSec Policy" section of Windows 2000 online help.

1. Use the MMC to work on the IP Security Policy Management snap-in (a quick way to load this is to clickStart, ClickRun, And then typeSecpol. msc).
   
   
2. Right-clickIP Security Policies on Local Machine, And then clickCreate IP Security Policy.
   
   
3. ClickNext, And then type a name for your policy (for example, IPSec Tunnel with third-party Gateway ).
   
   NOTE: You can also type more information inDescriptionBox.
   
   
4. Click to clearActivate the default response ruleCheck box, and then clickNext.
   
   
5. ClickFinish(KeepEditCheck box selected ).
   
   

NOTE: The IPSec policy is created with default settings for the IKE main mode (phase 1) on GeneralTab, in Key Exchange. The IPSec tunnel consists of two rules, each of which specifies a tunnel endpoint. because there are two tunnel endpoints, there are two rules. the filters in each rule must represent the source and destination IP addresses in IP packets that are sent to that rules tunnel endpoint. how to Build a Filter List from NetA to NetB

1. In the new policy properties, click to clearUse Add WizardCheck box, and then clickAddTo create a new rule.
   
   
2. OnIP Filter ListTab, clickAdd.
   
   
3. Type an appropriate name for the filter list, click to clearUse Add WizardCheck box, and then clickAdd.
   
   
4. InSource addressArea, clickA specific IP Subnet, And then fill inIP AddressAndSubnet maskBoxes to reflect NetA.
   
   
5. InDestination addressArea, clickA specific IP Subnet, And fill inIP AddressAndSubnet maskBoxes to reflect NetB.
   
   
6. Click to clearMirroredCheck box.
   
   
7. OnProtocolTab, make sure the protocol type is setAny, Because IPSec tunnels do not support protocol-specific or port-specific filters.
   
   
8. If you want to type a description for your filter, clickDescriptionTab. It is generally a good idea to give the filter the same name you used for the filter list. The filter name is displayed in the IPSec monitor when the tunnel is active.
   
   
9. ClickOK, And then clickClose.
   
   

How to Build a Filter List from NetB to NetA

1. OnIP Filter ListTab, clickAdd.
   
   
2. Type an appropriate name for the filter list, click to clearUse Add WizardCheck box, and then clickAdd.
   
   
3. InSource addressArea, clickA specific IP Subnet, And then fill inIP AddressAndSubnet maskBoxes to refl