Professional Documents
Culture Documents
Configuring Windows 2000xp Ipsec For Sitetosite vpn3071
Configuring Windows 2000xp Ipsec For Sitetosite vpn3071
November 2002
Copyright © 2002 SofaWare Technologies Inc, All Rights Reserved. Reproduction, adaptation, or translation with prior written permission is
prohibited except as allowed under copyright laws.
Introduction
Introduction
This document explains how to configure Microsoft Windows 2000, Windows 2000 Server, and Windows XP
IPsec for the Site-to-Site VPN solutions.
Figure 1 shows a sample implementation of this solution, in which a Safe@Office appliance is connected to a
Windows machine in a Site-to-Site VPN.
Scenarios
This document provides solutions for the following four scenarios:
Windows Gateway to Safe@Office in Unrestricted Mode
Traffic is encrypted between the network behind the Windows gateway and the Safe@Office WAN IP
address (Network A to Safe@Office external IP).
Windows Host to Safe@Office in Unrestricted Mode
Traffic is encrypted between the Windows host and the Safe@Office internal network (Windows machine to
Network B).
Windows Host to Safe@Office in Restricted Mode
Traffic is encrypted between the Windows host and the Safe@Office WAN IP address (Windows machine to
Safe@Office external IP).
Note: For all the scenarios above, the configuration of the Windows machine is
identical, except for the Filter Properties configuration. For further information, see
pages 11 and 16.
Important: Both the Safe@ gateway and Windows machine must be configured with a
static IP address. DHCP mode in the Windows machine may not work properly.
Note: The screens shown below appear in both Windows 2000 and XP.
The IP security policies on the local machine are displayed in the right-hand pane.
The IP Security Policy Wizard opens with the Welcome to the IP Security Policy wizard dialog box
displayed.
e. Click Next.
f. In the Name field, enter the policy’s name. In the example above, the policy’s name is “New_Policy”.
g. Click Next.
i. Click Next.
k. Click Finish.
The Properties dialog box appears, with the Rules tab displayed.
4. Click Add….
The New Rule Properties dialog box appears, with the IP Filter List tab displayed.
a. Click Add.…
d. Click Add.…
The Filter Properties dialog box appears, with the Addressing tab displayed.
Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode
Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode
i. Click OK.
The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter
appears in the IP Filter Lists area.
a. Click Add.…
d. Click Add.…
The Filter Properties dialog box appears, with the Addressing tab displayed.
Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode
Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode
i. Click OK.
The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter
appears in the IP Filter Lists area.
8. Set the filter action for the A to B IP filter, by doing the following:
c. Click Add….
The New Filter Action Properties dialog box appears, with the Security Methods tab displayed.
Do the following:
2) Clear the Accept unsecured communications, but always respond using IPsec check box.
3) Clear the Allow unsecured communications with non IPsec-aware computer check box.
4) Click Add….
The New Security Method dialog box appears, with the Security Method tab displayed.
d. Click Custom.
e. Click Settings….
Do the following:
1) Clear the Data and address integrity without encryption (AH) check box.
6) Click OK.
The New Filter Action Properties dialog box reappears, with the Security Methods tab displayed.
The new security method is listed in the Security Method preference order area.
h. Click OK.
The New Rule Properties dialog box reappears, with the Filter Action tab displayed. The Encrypt
action is listed in the Filter Actions area.
k. Click Add….
The New Authentication Method Properties dialog box appears, with the Authentication Method tab
displayed.
Do the following:
1) Click Use this string to protect the key exchange (preshared key).
Note: Use this preshared key as the Preshared Secret password, when you create the tunnel
from the Safe@ gateway to the Windows machine.
3) Click OK.
The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed.
The new authentication method (“Preshared Key”) is listed in the Authentication Method
preference order area.
l. Select Kerberos.
m. Click Remove.
n. Click Yes.
The Kerberos method is deleted from the Authentication Method preference order area.
t. Click Close.
9. Set the filter action for the B to A IP filter, by doing the following:
a. Click Add….
The New Rule Properties dialog box appears, with the IP Filter List tab displayed.
f. Click Add….
The New Authentication Method Properties dialog box appears, with the Authentication Method tab
displayed.
Do the following:
1) Click Use this string to protect the key exchange (preshared key).
Note: Use this preshared key as the Preshared Secret password, when you create the tunnel
from the Safe@ gateway to the Windows machine.
3) Click OK.
The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed.
The new authentication method (“Preshared Key”) is listed in the Authentication Method
preference order area.
g. Select Kerberos.
h. Click Remove.
i. Click Yes.
The Kerberos method is deleted from the Authentication Method preference order area.
o. Click Close.
The Properties dialog box reappears, with the Rules tab displayed. The B to A filter and its action is
listed in the IP Security Rules area.
Note: While creating the VPN profile, you must select Specify Configuration in the
VPN Network Configuration dialog box. Topology download is not supported.
Note: In Restricted mode, in order to forward encrypted traffic to hosts behind the
Safe@ gateway, you must define Virtual Server and/or Allow rules. You must select
the VPN Only check box for those rules.