Configuring Windows 2000xp Ipsec For Sitetosite vpn3071

Configuring Windows 2000/XP IPsec
for Site-to-Site VPN
November 2002
Copyright © 2002 SofaWare Technologies Inc, All Rights Reserved. Reproduction, adaptation, or translation with prior written permission is
prohibited except as allowed under copyright laws.
Introduction
Introduction
This document explains how to configure Microsoft Windows 2000, Windows 2000 Server, and Windows XP
IPsec for the Site-to-Site VPN solutions.
Figure 1 shows a sample implementation of this solution, in which a Safe@Office appliance is connected to a
Windows machine in a Site-to-Site VPN.
Figure 1: Safe@Office to Windows 2000/XP IPsec (Site-to-Site VPN)
Scenarios
This document provides solutions for the following four scenarios:
Windows Gateway to Safe@Office in Unrestricted Mode
Traffic is encrypted between the gateways’ subnets (Network A to Network B).

Windows Gateway to Safe@Office in Restricted Mode
Traffic is encrypted between the network behind the Windows gateway and the Safe@Office WAN IP
address (Network A to Safe@Office external IP).
Windows Host to Safe@Office in Unrestricted Mode
Traffic is encrypted between the Windows host and the Safe@Office internal network (Windows machine to
Network B).
Windows Host to Safe@Office in Restricted Mode
Traffic is encrypted between the Windows host and the Safe@Office WAN IP address (Windows machine to
Safe@Office external IP).
Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 1

Configuring Windows 2000/XP
Note: For all the scenarios above, the configuration of the Windows machine is
identical, except for the Filter Properties configuration. For further information, see
pages 11 and 16.
Important: Both the Safe@ gateway and Windows machine must be configured with a
static IP address. DHCP mode in the Windows machine may not work properly.
Contacting Technical Support

To contact technical support, send an email to: support@sofaware.com
Note: The screens shown below appear in both Windows 2000 and XP.
Note: The IP addresses in Figure 1, page 1, appear in the screens below as an

example.
Important: Additional security software installed on the Windows machine, (for

example Check Point SecuRemote), may prevent the tunnel from working properly.
To configure Windows 2000/XP for Site-to-Site VPN
1. Create an IP security policy by doing the following:
a. Open the Windows Control Panel.
b. In the Administrative Tools menu, click Local Security Policy.
The Local Security Settings window opens.
2 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

c. Double-click on IP Security Policies On Local Machine.
The IP security policies on the local machine are displayed in the right-hand pane.

d. In the Action menu, click Create IP Security Policy.
The IP Security Policy Wizard opens with the Welcome to the IP Security Policy wizard dialog box
displayed.
e. Click Next.
The IP Security Policy Name dialog box appears.

f. In the Name field, enter the policy’s name. In the example above, the policy’s name is “New_Policy”.
g. Click Next.
The Requests for Secure Communication dialog box appears.
h. Clear the Activate the default response rule check box.
i. Click Next.
The Completing the IP Security Policy Wizard dialog box appears.

j. Clear the Edit properties check box.
k. Click Finish.
The new policy appears in the Local Security Settings window.
2. Double-click on the new policy.
The Properties dialog box appears, with the Rules tab displayed.

3. Clear the Use Add Wizard check box.
4. Click Add….
The New Rule Properties dialog box appears, with the IP Filter List tab displayed.

5. Create an A to B IP filter for the security policy, by doing the following:
a. Click Add.…
The IP Filter List dialog box appears.

b. In the Name field, type “A to B”.
c. Clear the Use Add Wizard check box.
d. Click Add.…
The Filter Properties dialog box appears, with the Addressing tab displayed.

e. Select one of the following filters:

Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode
Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode

f. Clear the Mirrored check box.
g. Click on the Description tab.
The Description tab is displayed.
h. If desired, in the Description area, type a description of the filter.
i. Click OK.
The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter
appears in the IP Filter Lists area.

6. Create a B to A IP filter for the security policy, by doing the following:
a. Click Add.…
The IP Filter List dialog box appears.

b. In the Name field, type “B to A”.
c. Clear the Use Add Wizard check box.
d. Click Add.…
The Filter Properties dialog box appears, with the Addressing tab displayed.

e. Select one of the following filters:

Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode
Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode

f. Clear the Mirrored check box.
g. Click on the Description tab.
The Description tab is displayed.
h. If desired, in the Description area, type a description of the filter.
i. Click OK.
The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter
appears in the IP Filter Lists area.
7. In the IP Filter Lists area, click A to B.

8. Set the filter action for the A to B IP filter, by doing the following:
a. Click the Filter Action tab.
The Filter Action tab is displayed.

b. Clear the Use Add Wizard check box.
c. Click Add….
The New Filter Action Properties dialog box appears, with the Security Methods tab displayed.

Do the following:
1) Click Negotiate Security.
2) Clear the Accept unsecured communications, but always respond using IPsec check box.
3) Clear the Allow unsecured communications with non IPsec-aware computer check box.
4) Click Add….
The New Security Method dialog box appears, with the Security Method tab displayed.

d. Click Custom.
e. Click Settings….
The Custom Security Method Settings dialog box appears.

Do the following:
1) Clear the Data and address integrity without encryption (AH) check box.
2) Select the Data integrity and encryption (ESP) check box.
3) From the Integrity Algorithm drop-down list, select SHA1.
4) From Encryption Algorithm drop-down list, select 3DES.
5) In the Session Key Settings area, clear all check boxes.
6) Click OK.
The New Filter Action Properties dialog box reappears, with the Security Methods tab displayed.
The new security method is listed in the Security Method preference order area.

f. Click the General tab.
The General tab is displayed.

g. In the Name field, type Encrypt.
h. Click OK.
The New Rule Properties dialog box reappears, with the Filter Action tab displayed. The Encrypt
action is listed in the Filter Actions area.

i. In the Filter Actions area, click Encrypt.

j. Click the Authentication Methods tab.
The Authentication Methods tab is displayed.

k. Click Add….
The New Authentication Method Properties dialog box appears, with the Authentication Method tab
displayed.

Do the following:
1) Click Use this string to protect the key exchange (preshared key).
2) In the text box, type the preshared key.
Note: Use this preshared key as the Preshared Secret password, when you create the tunnel
from the Safe@ gateway to the Windows machine.
3) Click OK.
The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed.
The new authentication method (“Preshared Key”) is listed in the Authentication Method
preference order area.

l. Select Kerberos.
m. Click Remove.
A confirmation message appears.
n. Click Yes.
The Kerberos method is deleted from the Authentication Method preference order area.

o. Click on the Tunnel Settings tab.
The Tunnel Settings tab is displayed.

p. Click The tunnel endpoint is specified by this IP Address.
q. In the text box, type the Safe@ gateway’s IP address.
r. Click on the Connection Type tab.
The Connection Type tab is displayed.

s. Click All network connections.
t. Click Close.

9. Set the filter action for the B to A IP filter, by doing the following:
a. Click Add….
The New Rule Properties dialog box appears, with the IP Filter List tab displayed.

b. In the IP Filter Lists area, click B to A.

c. Click the Filter Action tab.
The Filter Action tab is displayed.

d. In the Filter Actions area, click Encrypt.

e. Click the Authentication Methods tab.
The Authentication Methods tab is displayed.

f. Click Add….
The New Authentication Method Properties dialog box appears, with the Authentication Method tab
displayed.

Do the following:
1) Click Use this string to protect the key exchange (preshared key).
2) In the text box, type the preshared key.
Note: Use this preshared key as the Preshared Secret password, when you create the tunnel
from the Safe@ gateway to the Windows machine.
3) Click OK.
The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed.
The new authentication method (“Preshared Key”) is listed in the Authentication Method
preference order area.

g. Select Kerberos.
h. Click Remove.
A confirmation message appears.
i. Click Yes.
The Kerberos method is deleted from the Authentication Method preference order area.

j. Click on the Tunnel Settings tab.
The Tunnel Settings tab is displayed.

k. Click The tunnel endpoint is specified by this IP Address.
l. In the text box, type the Windows machine’s IP address.
m. Click on the Connection Type tab.
The Connection Type tab is displayed.

n. Click All network connections.
o. Click Close.
The Properties dialog box reappears, with the Rules tab displayed. The B to A filter and its action is
listed in the IP Security Rules area.

10. Click Close.
The Local Area Settings window reappears.

11. Right-click on the new IP security policy.

Configuring the Safe@Office Appliance
12. From the pop-up menu, select Assign.
The new security policy is assigned to the network adapter.
Configuring the Safe@Office Appliance

You must create the VPN profile in Safe@ Office. For instructions, see the SofaWare S-box Getting Started
Guide, “Adding and Editing VPN Sites using SofaWare Safe@Office”, page 102.
Note: While creating the VPN profile, you must select Specify Configuration in the
VPN Network Configuration dialog box. Topology download is not supported.
Note: In Restricted mode, in order to forward encrypted traffic to hosts behind the
Safe@ gateway, you must define Virtual Server and/or Allow rules. You must select
the VPN Only check box for those rules.

Configuring Windows 2000xp Ipsec For Sitetosite vpn3071

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Configuring Windows 2000xp Ipsec For Sitetosite vpn3071

Uploaded by

Copyright:

Available Formats

Configuring Windows 2000/XP IPsec

for Site-to-Site VPN

Figure 1: Safe@Office to Windows 2000/XP IPsec (Site-to-Site VPN)

Traffic is encrypted between the gateways’ subnets (Network A to Network B).

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 1

Contacting Technical Support

Configuring Windows 2000/XP

Note: The IP addresses in Figure 1, page 1, appear in the screens below as an

Important: Additional security software installed on the Windows machine, (for

To configure Windows 2000/XP for Site-to-Site VPN

1. Create an IP security policy by doing the following:

a. Open the Windows Control Panel.

b. In the Administrative Tools menu, click Local Security Policy.

The Local Security Settings window opens.

2 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

c. Double-click on IP Security Policies On Local Machine.

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 3

d. In the Action menu, click Create IP Security Policy.

The IP Security Policy Name dialog box appears.

4 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

The Requests for Secure Communication dialog box appears.

h. Clear the Activate the default response rule check box.

The Completing the IP Security Policy Wizard dialog box appears.

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 5

j. Clear the Edit properties check box.

The new policy appears in the Local Security Settings window.

2. Double-click on the new policy.

6 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

3. Clear the Use Add Wizard check box.

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 7

5. Create an A to B IP filter for the security policy, by doing the following:

The IP Filter List dialog box appears.

8 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

b. In the Name field, type “A to B”.

c. Clear the Use Add Wizard check box.

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 9

e. Select one of the following filters:

10 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 11

f. Clear the Mirrored check box.

g. Click on the Description tab.

The Description tab is displayed.

h. If desired, in the Description area, type a description of the filter.

12 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

6. Create a B to A IP filter for the security policy, by doing the following:

The IP Filter List dialog box appears.

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 13

b. In the Name field, type “B to A”.

c. Clear the Use Add Wizard check box.

14 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

e. Select one of the following filters:

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 15

16 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

f. Clear the Mirrored check box.

g. Click on the Description tab.

The Description tab is displayed.

h. If desired, in the Description area, type a description of the filter.

7. In the IP Filter Lists area, click A to B.

Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 17

a. Click the Filter Action tab.

The Filter Action tab is displayed.

18 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs

b. Clear the Use Add Wizard check box.