How to Configure IPSec Tunneling Between Win2003 and WS 2000

H IGH DATA RATE W IRELESS LAN TECHNOLOGY : How To Configure IPSec Tunneling between Windows Server 2003 and WS 2000

Mr. Jan Van de Laer, Symbol Technologies

December 2004

T E C H N I C A L N O T E

2 January 2003 Symbol Technologies, Inc.

T A B L E O F C O N T E N T S

Table of Contents ......................................................................................................... 2 1. Introduction .............................................................................................................. 3 2. Goal ......................................................................................................................... 4 3. Windows 2003 setup ................................................................................................ 4 3.1. Build a Filter List from Int A to Int B.................................................................. 5 3.2. Build a Filter List from Int B to Int A.................................................................. 6 3.3. Configure a Rule for a Int A – to – Int B Tunnel .............................................. 8 3.4. Configure a Rule for a Int B – to – Int A Tunnel ............................................ 11 3.5. Assign Your New IPSec Policy to Your Windows Server 2003 Gateway... 13 3.6. Configure Routing and Remote Access Filtering .......................................... 13 3.7. Configure Static Routes in Routing and Remote Access............................. 15 3.8. Test Your IPSec Tunnel .................................................................................. 15 3.9. IP Security Monitor........................................................................................... 16 3.10. Network Monitor ............................................................................................. 16 4. WS 2000 VPN Setup .............................................................................................. 18 5. Actual Test ............................................................................................................. 22 6. REFERENCES....................................................................................................... 24 10. About the Authors ................................................................................................ 25


1 . I n t roduct ion

You can use IP Security (IPSec) in tunnel mode to encapsulate Internet Protocol (IP) packets and optionally encrypt them. Windows Server 2003 supports IPSec tunneling for situations where both tunnel endpoints have static IP addresses. This article describes how to configure an IPSec tunnel between a Windows Server 2003 gateway and the WS 2000. Because the IPSec tunnel secures only traffic that is specified in the IPSec filters that you have to configure in the Windows 2003 Server, this article also describes how to configure filters in the Routing and Remote Access service to prevent traffic outside the tunnel from being received or forwarded.


2 . G O A L

The goal is to configure the Windows Server 2003 gateway and the WS 2000 in this way that an IPSec tunnel will guide traffic from Int A to Int B or to guide traffic coming from Int B to Int A, over a secure session (See figure 1).

Figure 1 3 . W I N D O W S 2 0 0 3 S E T U P

If you want to configure an IPSec policy in the Windows 2003 Server, you must build: ? One filter to match packets going from Int A to Int B (tunnel 1). ? One filter to match packets going from Int B to Int A (tunnel 2). ? One filter action to specify how the tunnel is secured (a tunnel is represented by a

rule, so two rules are created). ? Create IPSec Policy (See figure 2).

1. Click Start -> Run, and then type secpol.msc to start the IP Security Policy

Management snap-in.

2. Right-click IP Security Policies on Local Computer -> Create IP Security Policy.

3. Click Next, and then type a name for your policy (I used: ”IPSEC to WS2K”). Click

Next.

4. Click to clear the Activate the default response rule check box -> Next.

5. Click Finish (leave the Edit check box selected).


Figure 2 3 . 1 . B U I L D A F I L T E R L I S T F R O M I N T A T O I N T B

1. In the new policy properties, click to clear the Use Add Wizard check box, -> Add to

create a new rule.

2. Click the IP Filter List tab, -> Add.

3. Type an appropriate name for the filter list ( I used: “Net A – B”), click to clear the

Use Add Wizard check box, -> Add. (See figure 3)

4. In the Source address box, select A specific IP Subnet, and then type the IP

Address and Subnet mask to for Int A. (See figure 4)

5. In the Destination address box, select A specific IP Subnet, and then type the IP

Address and Subnet mask for Int B. (See figure 4)

6. Click to clear the Mirrored check box.

7. Click the Protocol tab. Make sure that the protocol type is set to Any, because

IPSec tunnels do not support protocol-specific or port-specific filters. (See figure 5)

8. Click OK.


Figure 3 Figure 4

Figure 5 3 . 2 . B U I L D A F I L T E R L I S T F R O M I N T B T O I N T A

1. Click the IP Filter List tab, -> Add.

2. Type an appropriate name for the filter list ( I used: “Net B – A”), click to clear the

Use Add Wizard check box, -> Add. (See figure 6)

3. In the Source address box, select A specific IP Subnet, and then type the IP

Address and Subnet mask to for Int A. (See figure 7)


4. In the Destination address box, select A specific IP Subnet, and then type the IP

Address and Subnet mask for Int B. (See figure 7)

5. Click to clear the Mirrored check box.

6. Click the Protocol tab. Make sure that the protocol type is set to Any, because

IPSec tunnels do not support protocol-specific or port-specific filters. (See figure 8)

7. Click OK.

Figure 6 Figure 7

Figure 8


When you have finished this with success you would see:

Figure 9

3 . 3 . C O N F I G U R E A R U L E F O R A I N T A – T O – I N T B T U N N E L

1. Click the IP Filter List tab, and then click to select the filter list that you created (Net

A – B).

2. Click the Tunnel Setting tab, click The tunnel endpoint is specified by this IP

Address box, and then type IP Ext A (See figure 10).

3. Click the Connection Type tab, click Local area network (LAN) (See figure 11).

4. Click the Filter Action tab, click to clear the Use Add Wizard check box, -> Add to

create a new filter action because the default actions allow incoming traffic in clear

text.

5. Keep the Negotiate security option enabled, and then click to clear the Accept

unsecured communication, but always respond using IPSec check box. You

must do this for secure operation (See figure 12).


6. Click Add,-> Custom. Select Data Integrity and Encryption, -> select MD5 and

select 3DES. Encapsulating Security Payload (ESP) is one of the two IPSec

protocols (See figure 13).

7. Click OK. Click the General tab, type a name for the new filter action (I used IPSEC

for WS2K), and then click OK.

8. Select the filter action that you just created.

9. Click the Authentication Methods tab, -> Add -> Use this string (preshared key),

enter the same preshared key as you are going to use in the WS 2000 IKE

configuration (See figure 14).

10. Click Close.

Figure 10 Figure 11


Figure 12 Figure 13

Figure 14


3 . 4 . C O N F I G U R E A R U L E F O R A I N T B – T O – I N T A T U N N E L

1. In IPSec policy properties, click Add to create a new rule.

2. Click the IP Filter List tab, click to select the filter list that you created (from Net B -

A) (See figure 15).

3. Click the Tunnel Setting tab, click The tunnel endpoint is specified by this IP

Address box, and then type IP Ext B (See figure 16).

4. Click the Connection Type tab, click Local area network (LAN) (See figure 17).

5. Click the Filter Action tab, -> select the filter action that you created above (See

figure 18).

6. Click the Authentication Methods tab, and then configure the same method that

you used in the first rule or used in the WS 2000 (the same method must be used in

both rules) (See figure 19).

7. Click OK, make sure both rules that you created are enabled in your policy, and then

click OK again.

Figure 15 Figure 16


Figure 17 Figure 18

Figure 19


3 . 5 . A S S I G N Y O U R N E W I P S E C P O L I C Y T O Y O U R W I N D O W S S E R V E R 2 0 0 3 G A T E W A Y

In the IP Security Policies on Local Computer MMC snap-in, right-click your new policy, and then click Assign (See figure 20).

Figure 20 3 . 6 . C O N F I G U R E R O U T I N G A N D R E M O T E A C C E S S F I L T E R I N G

For more security you may want to configure advanced inbound and outbound filtering, to prevent traffic that does not have a source or destination address that matches IP Int A or IP Int B, create an output filter for the external interface in the Routing and Remote Access MMC so that the filter drops all traffic except packets from IP Int A to IP Int B. Also create an input filter so the filter drops all traffic except packets from IP Int B to IP Int A. You also have to allow traffic to and from IP Ext B and IP Ext A to allow IKE negotiation when the tunnel is being created.


To configure the filters in the Routing and Remote Access service, load the Routing and Remote Access MMC and follow these steps: 1. Expand your server tree under Routing and Remote Access, expand the IP

Routing subtree, and then click General.

2. Right-click “To WS2000” -> Properties.

3. Click Outbound Filters -> New.

4. Click to select the Source network and Destination network check boxes.

5. In the Source network box, type the IP address and Subnet mask for IP Net A.

6. In the Destination network box, type the IP address and Subnet mask for IP Net

B.

7. Keep the protocol set to Any -> OK.

8. Click New -> select the Source network and Destination network check boxes.

9. In the Source network box -> type the IP address and Subnet mask for IP Ext B.

10. In the Destination network box -> type the IP address and Subnet mask for IP Ext

A (for IKE negotiation use a subnet mask of 255.255.255.255).

11. Keep the protocol set to Any -> OK.

12. Click to select the Drop all packets except those that meet the criteria below check

box -> OK.

13. Click Inbound Filters -> New -> click to select the Source network and

Destination network check boxes.

14. In the Source network box -> type the IP address and Subnet mask for IP Net B.

15. In the Destination network box -> type the IP address and Subnet mask for IP

Net A.

16. Keep the protocol set to Any -> then click OK.

17. Click New -> click to select the Source network and Destination network check

boxes.

18. In the Source network box -> type the IP address and Subnet mask for IP Ext A.

19. In the Destination network box -> type the IP address and Subnet mask for IP Ext

B (for IKE negotiation use a subnet mask of 255.255.255.255).

20. Keep the protocol set to Any -> click OK.

21. Click to select the Drop all packets except those that meet the criteria below check

box -> click OK two times.


3 . 7 . C O N F I G U R E S T A T I C R O U T E S I N R O U T I N G A N D R E M O T E A C C E S S

The Windows Server 2003 gateway must have a route in its route table for IP Int B. To configure this route, add a static route in the Routing and Remote Access MMC. If the Windows Server 2003 gateway is multihomed with two or more network adapters on the same external network the potential exists for the following: ? Outbound tunnel traffic leaves on one interface, and the inbound tunnel traffic is

received on a different interface. ? Outbound tunnel traffic leaves on an interface that is different from the interface that

has the tunnel endpoint IP address. The source IP of the tunneled packet is the source IP on the outbound interface. If this is not the source IP that is expected by the other end, the tunnel is not established.

To avoid sending outbound tunnel traffic on the wrong interface, define a static route to bind traffic to IP Net B to the appropriate external interface: 1. In the Routing and Remote Access MMC, expand your server tree, expand the IP

Routing subtree, right-click Static Routes, and then click New Static Route.

2. In the Interface box, select To WS2000 (if this is the interface that you want to

always use for outbound tunnel traffic).

3. Type the Destination network and Network mask for IP Net A.

4. In the Gateway box, type IP Ext A.

5. Keep the Metric value set to its default (1), and then click OK.

3 . 8 . T E S T Y O U R I P S E C T U N N E L

You can initiate the tunnel by pinging from a computer on IP Int A to a computer on IP Int B. If you created the filters correctly and assigned the correct policy, the two gateways establish an IPSec tunnel so they can send the ICMP traffic from the ping command in encrypted format. Even if the ping command works, verify that the ICMP traffic was sent in encrypted format from gateway to gateway. You can use the following tools to do this.


Enable Auditing for Logon Events and Object Access This logs events in the security log. This tells you if IKE security association negotiation was tried and if it was successful or not.

1. Using the Group Policy MMC snap-in -> Local Computer Policy -> Computer

Configuration -> Windows Settings -> Security Settings ->Local Policies ->

Audit Policy.

2. Enable Success and Failure auditing for Audit logon events and Audit object

access.

3 . 9 . I P S E C U R I T Y M O N I T O R

The IP Security Monitor console shows IPSec statistics. After you try to establish the tunnel by using the ping command, you can see if an SA was created (if the tunnel creation is successful, an SA is displayed). If the ping command is successful but there is no SA, the ICMP traffic was not protected by IPSec. If you see a "soft association" that did not previously exist, then IPSec agreed to allow this traffic to go "on the clear" (without encryption).

To add the IP Security Monitor snap-in, follow these steps: 1. Click Start -> Run -> type MMC -> OK.

2. Click File -> Add/Remove Snap-in -> Add.

3. Click IP Security Monitor -> Add.

4. Click Close -> OK.

3 . 1 0 . N E T W O R K M O N I T O R

You can use Network Monitor to capture traffic going through the IP Ext B interface while you try to ping the computer. If you can see ICMP packets in the capture file that have source and destination IP addresses that correspond to the IP addresses of the computer that you are pinging from and the computer you are trying to ping, then IPSec is not protecting the traffic.


To install Network Monitor, follow these steps: 1. Click Start -> Control Panel -> Add or Remove Programs -> Add/Remove

Windows Components.

2. In the Windows Components wizard, click Management and Monitoring Tools ->

Details.

3. In Subcomponents of Management and Monitoring Tools -> Network Monitor

Tools check box -> OK.

4. If you are prompted for additional files, insert the installation CD for your operating

system, or type a path of the location of the files on the network.


4 . WS 2 0 0 0 VPN S E T U P

In point 3 we prepared step-by-step the Windows 2003 Server for VPN communications. In this point we will prepare step-by-step the Wireless Switch 2000 for the communication via VPN with the Windows 2003 Server. To be able to communicate we need to configure the corresponding networking parameters on the Wireless Switch 2000. Namely: ? Local Subnet IP Int A(To determine which local subnet has to communicate via VPN

with the remote subnet). ? Local WAN IP IPExt A. ? Remote subnet IP Int B. ? Remote subnet mask IP Int B. ? Remote Gateway IP Ext B. ? And the corresponding IKE settings. To add a VPN Tunnel in the Wireless Switch 2000, follow these steps: Logon to thw Wireless Switch 2000.

Open Network Configuration .

Open WAN .

Open VPN .

Click Add create a new VPN connection.

Type a Tunnel Name, I used “To_Livenet”.

Select the Local Subnet, IP Int A.

Type the Local Wan IP, IP Ext A.

Type the Remote Subnet, IP Int B.

Type the Remote Subnet Mask.

Type the Remote Gateway, IP Ext B.

(When you used the same parameters as in this document you should have the

same view as in figure 21.)

5. Select Auto (IKE) Key Exchange .


6. Click Auto Key Settings .

7. Leave Use Perfect Forward Secrecy and AH Authentication to default.

8. Select as ESP Type.

9. Select as ESP Encryption Algorithm.

10. Select as ESP Authenticaiton Algorithm.

(When all went well you will have the same view as figure 22).

11. Click IKE Settings .

12. Leave Operation Mode, Local ID Type and Remote ID Type as default.

13. Select as IKE Autehentication Mode.

14. Select as IKE Authentication Algorithm.

15. Type as IKE Authentication Passphrase,

the same Passphrase as used in Figure 14 and in Figure 19.

16. Select as IKE Encryption Algorithm.

17. Type as Key Lifetime.

18. Select as Diffie-Hellman Group.

(When all went well you will have the same view as figure 23).


Figure 21

Figure 22


Figure 23

Now you are all set to go.


5 . A C T U A L T E S T

1. Before you try to ping from a computer on one subnet to the other (IP Net A or IP

Net B), type ipconfig at a command prompt. The network interfaces that are

initialized in the TCP/IP stack are displayed (See figure 24).

2. Start the IP Security Monitor tool.

3. Start Network Monitor, and then on the Capture menu, click Networks. Click the To

WS2000 interface, and then click OK.

4. Try to ping the computer. The first ICMP echo packets may time out while the IPSec

tunnel is being built. If the ping is not successful, check the security and system

logs.

5. If the ping is successful, stop the Network Monitor capture and see if the ICMP traffic

went "on the clear" or if you just see the ISAKMP and IPSec protocol packets.

Check IP Security Monitor to see if an SA was created using the IP Net A to IP Net

B filter you created

Figure 24


The VPN Status on the Wireless Switch 2000 view will be as shown in figure 25:

Figure 25


6 . REFERENCES For more information about the Routing and Remote Access service, see Windows Server 2003 online Help. To view the Windows Server 2003 Resource Kit and other technical documentation, visit the following Microsoft Web site: http://www.microsoft.com/windowsserver2003/default.mspx For IETF standards information, visit the following sites: http://www.ietf.org/html.charters/ipsec-charter.html


10 . About the Authors

Jan Van de Laer EMEA Consulting Systems Engineer.


Corporate Headquarters Symbol Technologies, Inc. One Symbol Plaza Holtsville, NY 11742-1300 TEL: +1.800.722-6234/+1.631.738.2400 FAX: +1.631.738.5990 For Asia Pacific Area Symbol Technologies Asia, Inc. (Singapore Branch) Asia Pacific Division 230 Victoria Street #05-07/09 Bugis Junction Office Tower Singapore 188024 TEL: +65.6796.9600 FAX: +65.6337.6488 For Europe, Middle East and Africa Symbol Technologies EMEA Division Symbol Place, Winnersh Triangle Berkshire, England RG41 5TP TEL: +44.118.9457000 FAX: +44.118.9457500 For North America, Latin America and Canada Symbol Technologies The Americas One Symbol Plaza Holtsville, NY 11742-1300 TEL: +1.800.722.6234/+1.631.738.2400 FAX: +1.631.738.5990 Symbol Website For a complete list of Symbol subsidiaries and business partners worldwide contact us at: www.symbol.com E-mail [email protected]

A B O U T S Y M B O L T E C H N O L O G I E S

Symbol Technologies, Inc., The Enterprise Mobility Company™ , delivers solutions that capture, move and manage information in real time, from the point of activity to the point of decision. Symbol solutions integrate advanced data capture technology, ruggedized mobile computers, wireless infrastructure, enabling software and high-ROI applications from our business partners and Symbol Enterprise Mobility Services. Symbol enterprise mobility solutions increase business productivity and velocity, reduce costs and realize competitive advantage for the world's leading retailers, transportation and logistics companies and manufacturers as well as government agencies and providers of healthcare, hospitality and security. More information is available at www.symbol.com. PUBLISHED BY: Symbol Technologies © 2004 Symbol Technologies, Inc.

S Y M B O L T E C H N O L O G I E S , I N C .

Documents

How to Configure IPSec Tunneling Between Win2003 and WS 2000