Solved

IPSec point-to-point implemenation

Posted on 2006-07-12
6
490 Views
Last Modified: 2007-12-19
We have a off-site "backup" web server that is being hosted by another company and is connected directly to the internet (not using a NAT router).  Our corporate network is behind an ISA 2004 firewall/gateway.  I need to set up an IPSec connection between the remote server and at least one server in our internal network so that we can securely transmit data between our network and the remote server.  

I have tried setting up a VPN connection to the ISA from the remote server, but I only want communication between the two networks secured; regular internet traffic to/from the server does not need to go through the ISA.  I just want IPSec without NAT.

Can I / how do I set up a direct IPSec connection between the two networks?  Do I set up the connection between the ISA gateway and the remote server, or can I do it for specific internal servers?  All servers are running Windows Server 2003 Standard.

I know this is a pretty broad question, so I don't expect detailed step-by-step answers, just some key points to set up and pitfalls to look for.

TIA,

Don
0
Comment
Question by:dstanley9
  • 2
  • 2
6 Comments
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 500 total points
ID: 17092945
both servers must run Windows 200x os.

You can create a local policy on each server to allow IPSEC communication between the two servers.  This is all or nothing...  Meaning that once you turn it on, ALL traffic between these two servers will go over IPSEC.

IPSEC, in your situation, should be IP based.  Meaning...  you will setup an IPSEC rule to show source and destination IP addresses.  Use MY Address as source and Destination will be the remote IP address.

You will have to open your firewall to allow IPSEC traffic through...



Firewall Ports Needed for IPSEC
________________________________________

Configuring Firewalls to Permit ESP, ISAKMP (IKE), and AH Traffic

When a firewall exists between IPSec peers, as it does in the example, you must configure the firewall to forward IPSec traffic on UDP source and destination port 500, IP protocol 50 (ESP), or IP protocol 51 (AH). First, to permit IPSec traffic on UDP source and destination port 500, use the following settings to create a firewall filter called Permit ISAKMP traffic on UDP port 500:
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = UDP
•      Source port = 500
•      Destination port = 500
To permit IPSec traffic on IP protocol 50 (ESP) or IP protocol 51 (AH), use the following settings to create a firewall filter called Permit IPSec traffic on ESP or AH protocol (50 or 51):
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = 50 or 51


More Information:  http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

http://www.microsoft.com/technet/itsolutions/network/ipsec/ipsecfaq.mspx

0
 
LVL 25

Author Comment

by:dstanley9
ID: 17092999
If I implement this policy between the gateway and the remote server, will all traffic between our internal network and the remote be encrypted?  Meaning, can I set this up on the gateway and cover all traffic to.from the remote server, regardless of where it originated?  I don't care if it's encrypted between the internal servers and the remote server, so long as it's encrypted outside of our network.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 17093112
you can if you gateway is a windows 200x machine.  
0
 
LVL 25

Author Comment

by:dstanley9
ID: 17101311
OK, I think I have this working, but how do I verify that encryption is being used?  I have policies on both machines to Require Security, but how do I prove to someone that the connection is secure?

0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question