Solved

IPSec point-to-point implemenation

Posted on 2006-07-12
6
489 Views
Last Modified: 2007-12-19
We have a off-site "backup" web server that is being hosted by another company and is connected directly to the internet (not using a NAT router).  Our corporate network is behind an ISA 2004 firewall/gateway.  I need to set up an IPSec connection between the remote server and at least one server in our internal network so that we can securely transmit data between our network and the remote server.  

I have tried setting up a VPN connection to the ISA from the remote server, but I only want communication between the two networks secured; regular internet traffic to/from the server does not need to go through the ISA.  I just want IPSec without NAT.

Can I / how do I set up a direct IPSec connection between the two networks?  Do I set up the connection between the ISA gateway and the remote server, or can I do it for specific internal servers?  All servers are running Windows Server 2003 Standard.

I know this is a pretty broad question, so I don't expect detailed step-by-step answers, just some key points to set up and pitfalls to look for.

TIA,

Don
0
Comment
Question by:dstanley9
  • 2
  • 2
6 Comments
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 500 total points
Comment Utility
both servers must run Windows 200x os.

You can create a local policy on each server to allow IPSEC communication between the two servers.  This is all or nothing...  Meaning that once you turn it on, ALL traffic between these two servers will go over IPSEC.

IPSEC, in your situation, should be IP based.  Meaning...  you will setup an IPSEC rule to show source and destination IP addresses.  Use MY Address as source and Destination will be the remote IP address.

You will have to open your firewall to allow IPSEC traffic through...



Firewall Ports Needed for IPSEC
________________________________________

Configuring Firewalls to Permit ESP, ISAKMP (IKE), and AH Traffic

When a firewall exists between IPSec peers, as it does in the example, you must configure the firewall to forward IPSec traffic on UDP source and destination port 500, IP protocol 50 (ESP), or IP protocol 51 (AH). First, to permit IPSec traffic on UDP source and destination port 500, use the following settings to create a firewall filter called Permit ISAKMP traffic on UDP port 500:
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = UDP
•      Source port = 500
•      Destination port = 500
To permit IPSec traffic on IP protocol 50 (ESP) or IP protocol 51 (AH), use the following settings to create a firewall filter called Permit IPSec traffic on ESP or AH protocol (50 or 51):
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = 50 or 51


More Information:  http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

http://www.microsoft.com/technet/itsolutions/network/ipsec/ipsecfaq.mspx

0
 
LVL 25

Author Comment

by:dstanley9
Comment Utility
If I implement this policy between the gateway and the remote server, will all traffic between our internal network and the remote be encrypted?  Meaning, can I set this up on the gateway and cover all traffic to.from the remote server, regardless of where it originated?  I don't care if it's encrypted between the internal servers and the remote server, so long as it's encrypted outside of our network.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
Comment Utility
you can if you gateway is a windows 200x machine.  
0
 
LVL 25

Author Comment

by:dstanley9
Comment Utility
OK, I think I have this working, but how do I verify that encryption is being used?  I have policies on both machines to Require Security, but how do I prove to someone that the connection is secure?

0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now