Solved

IPSec point-to-point implemenation

Posted on 2006-07-12
6
491 Views
Last Modified: 2007-12-19
We have a off-site "backup" web server that is being hosted by another company and is connected directly to the internet (not using a NAT router).  Our corporate network is behind an ISA 2004 firewall/gateway.  I need to set up an IPSec connection between the remote server and at least one server in our internal network so that we can securely transmit data between our network and the remote server.  

I have tried setting up a VPN connection to the ISA from the remote server, but I only want communication between the two networks secured; regular internet traffic to/from the server does not need to go through the ISA.  I just want IPSec without NAT.

Can I / how do I set up a direct IPSec connection between the two networks?  Do I set up the connection between the ISA gateway and the remote server, or can I do it for specific internal servers?  All servers are running Windows Server 2003 Standard.

I know this is a pretty broad question, so I don't expect detailed step-by-step answers, just some key points to set up and pitfalls to look for.

TIA,

Don
0
Comment
Question by:dstanley9
  • 2
  • 2
6 Comments
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 500 total points
ID: 17092945
both servers must run Windows 200x os.

You can create a local policy on each server to allow IPSEC communication between the two servers.  This is all or nothing...  Meaning that once you turn it on, ALL traffic between these two servers will go over IPSEC.

IPSEC, in your situation, should be IP based.  Meaning...  you will setup an IPSEC rule to show source and destination IP addresses.  Use MY Address as source and Destination will be the remote IP address.

You will have to open your firewall to allow IPSEC traffic through...



Firewall Ports Needed for IPSEC
________________________________________

Configuring Firewalls to Permit ESP, ISAKMP (IKE), and AH Traffic

When a firewall exists between IPSec peers, as it does in the example, you must configure the firewall to forward IPSec traffic on UDP source and destination port 500, IP protocol 50 (ESP), or IP protocol 51 (AH). First, to permit IPSec traffic on UDP source and destination port 500, use the following settings to create a firewall filter called Permit ISAKMP traffic on UDP port 500:
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = UDP
•      Source port = 500
•      Destination port = 500
To permit IPSec traffic on IP protocol 50 (ESP) or IP protocol 51 (AH), use the following settings to create a firewall filter called Permit IPSec traffic on ESP or AH protocol (50 or 51):
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = 50 or 51


More Information:  http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

http://www.microsoft.com/technet/itsolutions/network/ipsec/ipsecfaq.mspx

0
 
LVL 25

Author Comment

by:dstanley9
ID: 17092999
If I implement this policy between the gateway and the remote server, will all traffic between our internal network and the remote be encrypted?  Meaning, can I set this up on the gateway and cover all traffic to.from the remote server, regardless of where it originated?  I don't care if it's encrypted between the internal servers and the remote server, so long as it's encrypted outside of our network.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 17093112
you can if you gateway is a windows 200x machine.  
0
 
LVL 25

Author Comment

by:dstanley9
ID: 17101311
OK, I think I have this working, but how do I verify that encryption is being used?  I have policies on both machines to Require Security, but how do I prove to someone that the connection is secure?

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question