locked
Deploying a TCP/IP-Service over IPSec RRS feed

  • Question

  • I've got the following scenario:

    I'm using a Windows Server 2008 R2 DataCenter Core installation (x64) and want to discard all incomming and outcomming network packets. I've done this by using the following command:

    netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
    
    So far, so good.

    Now I want do provide a proprietary TCP/IP service. The communication with this service should only be allowed over IPSec using AH with SHA-1 for integrity and ESP with 3DES for encryption. The user needs to login to establish this VPN connection.

    I've played a bit with the netsh command line tool, but hadn't get much to work.

    For the sake of simplicity, I tried to allow ICMP diagnostic packages over IPSec. Therefore, I used the following commands to control the ICMP communication between two clients (Server 2008: 192.168.217.136, Windows 7: 192.168.217.1):

    netsh ipsec static>add filterlist name=diagnostics_list description="filters diagnostic packages"
    netsh ipsec static>set filteraction name=negotiate_ah_sha1_esp_3des_sha1 qmpfs=no inpass=no soft=no action=negotiate qmsecmethods="AH[SHA1]+ESP[3DES,SHA1]:20480k/3600s"
    netsh ipsec static>add filter filterlist=diagnostics_list srcaddr=me dstaddr=192.168.217.1 description="me2host_bi_icmp" protocol=ICMP mirrored=yes srcmask=255.255.255.255 dstmask=255.255.255.255
    netsh ipsec static>add policy name=diagnostics_policy description="settings for diagnostic packages" mmpfs=no qmpermm=0 mmlifetime=480m activatedefaultrule=no pollinginterval=180m assign=yes mmsecmethods="3DES-SHA1-3"
    netsh ipsec static>add rule name=diagnostics policy=diagnostics_policy filterlist=diagnostics_list filteraction=negotiate_ah_sha1_esp_3des_sha1 conntype=all activate=yes description="rule for diagnostic packages" kerberos=no psk="my diagnostic channel"
    

    So, this worked. But not in that way I would like. I don't know where I can specify this, but I want to use IPSec in tunnel mode. Currently the transport is used (I can see that by using a network sniffer).

    Maybe, I'm doing something wrong. Thanks in advance for any help.

    Best regards

    Sunday, April 10, 2011 6:47 PM

All replies

  • Does nobody know an answer? Or do I miss something?
    Thursday, April 14, 2011 5:22 PM