windows xp and vista ipsec vpn policy
TRANSCRIPT
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 1/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 1
Windows XP / Vista
IPSec VPN policy configuration
IndexPreface ..................................................................................................................................................... 2
Building an IPSec policy ........................................................................................................................... 3
Creating Filter Lists .................................................................................................................................. 5
Defining Filter Action and negotiation security ...................................................................................... 7
Defining Authentication Methods ........................................................................................................... 9
Defining Tunnel Settings and Connection Type .................................................................................... 11
A short word about the other side of the tunnel .................................................................................. 13
Testing the VPN and looking at the log ................................................................................................. 14
Conclusion ............................................................................................................................................. 15
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 2/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 2
Preface
This document shows how to establish an IPSec VPN between a Windows XP
computer exposed to the Internet and a Checkpoint Firewall-1 / VPN-1 NG AI R55
using Security Policy snap-in for MMC and utilizing the encryption features and hash
algorithms of the XP IP-stack.
The environment consists of two network segments like:
Network A (AD_2003 Server)
IP: 192.168.1.0
Mask: 255.255.255.0
Router: 192.168.1.254
Network B (XP_IPSec_LABB Workstation)
IP: 172.16.32.9
Mask: 255.255.255.252Router: 172.16.32.10
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 3/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 3
Building an IPSec policy
We´ll be using the built-in Security Policy snap-in to set up the preferences for the
VPN and configure the settings such as terminating IP addresses, bi-directional
traffic, allowed protocols and ports, Pre-Shared keys and so on as will be explained
further down the road.
Start secpol.msc from the START/RUN facility. Right click IP Security Policies on
Local Computer choosing Create IP Security Policy
Select a suitable name for the policy and click Next…
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 4/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 4
Here you´ll deselect Activate the default response rule and click Next…
Now it´s time to define the IP filter lists (we´ll be creating two of them. They´ll be
exactly the same except from the terminating IP addresses) by choosing Add to get
the New Rule Properties window.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 5/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 5
Creating Filter Lists
From within this window click Add…
In this example the first filter list will be called XP_to_Checkpoint_FW (the opposite
will be called Checkpoint_FW_to_XP). Click Add to enter Filter Properties.
Make sure to enter correct IP information depending on source respective destination
addresses.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 6/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 6
Use default settings or change according to your needs. We´ll be using ANY here.
Click OK until the window New Rule Properties is shown again and create a new
Filter List for the opposite direction.
Remember to get the IP information correct.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 7/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 7
Defining Filter Action and negotiation security
Next step is to define the Filter Action and negotiation security.
Choose Require Security and click Edit.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 8/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 8
Be sure to enable Session key perfect forward secrecy (PFS). Here you may also
change the preset security methods or define your own ones.
Click OK twice and enter the Authentication Methods tab
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 9/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 9
Defining Authentication Methods
Naturally, the Authentication method is preset to Kerberos, but we´ll be using Pre-
Shared key.
Highlight Kerberos and click Edit and define Use this string (preshared key) and enter
appropriate string to use (remember that this string much match between the
terminating endpoints).
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 10/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 10
Click OK and notice the method being changed.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 11/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 11
Defining Tunnel Settings and Connection Type
The last two remaining things to define is the terminating tunnel endpoint this Filter
Rule will use and that should be the IP address of the remote gateway and define
how the Filter Rule should apply.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 12/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 12
When this is done then yet another Filter Rule must be created defining the opposite
side. Remember to use exactly the same settings except the IP address of the
terminating tunnel endpoint which in this case will be the Windows XP client.
Now make sure to click OK all the way back to Local Security Settings window. Right
click the new policy and choose Assign to enable the new policy.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 13/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 13
A short word about the other side of the tunnel
As this document will not cover basic VPN setup I´ll only show the settings I used to
get this show on the road.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 14/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 14
Testing the VPN and looking at the log
Pinging from the Windows XP machine to the 2003 AD server on the other side
brings the IP Security Policy up and starts the negotiation with the remote gateway.
The logviewer (Smartview Tracker) shows us what´s happening.
8/6/2019 Windows XP and Vista IPSec VPN Policy
http://slidepdf.com/reader/full/windows-xp-and-vista-ipsec-vpn-policy 15/15
Windows XP / Vista IPSec VPN policy
Johan Engdahl 2007 page 15
Conclusion
All I can say is that I´m extremely pleased with the functionality. Although the
screenshots above are taken from Windows XP, I can assure you that this works just
as fine with Windows Vista.
The IP-Stack in Windows XP and improved IP-Stack in Windows Vista makes itsmooth to have several policies on the workstation where the different vendor VPN
clients used to interfere with each other or making it completely impossible to
combine certain clients at all.