Solved

IPSec point-to-point implemenation

Posted on 2006-07-12
6
492 Views
Last Modified: 2007-12-19
We have a off-site "backup" web server that is being hosted by another company and is connected directly to the internet (not using a NAT router).  Our corporate network is behind an ISA 2004 firewall/gateway.  I need to set up an IPSec connection between the remote server and at least one server in our internal network so that we can securely transmit data between our network and the remote server.  

I have tried setting up a VPN connection to the ISA from the remote server, but I only want communication between the two networks secured; regular internet traffic to/from the server does not need to go through the ISA.  I just want IPSec without NAT.

Can I / how do I set up a direct IPSec connection between the two networks?  Do I set up the connection between the ISA gateway and the remote server, or can I do it for specific internal servers?  All servers are running Windows Server 2003 Standard.

I know this is a pretty broad question, so I don't expect detailed step-by-step answers, just some key points to set up and pitfalls to look for.

TIA,

Don
0
Comment
Question by:dstanley9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
6 Comments
 
LVL 33

Accepted Solution

by:
NJComputerNetworks earned 500 total points
ID: 17092945
both servers must run Windows 200x os.

You can create a local policy on each server to allow IPSEC communication between the two servers.  This is all or nothing...  Meaning that once you turn it on, ALL traffic between these two servers will go over IPSEC.

IPSEC, in your situation, should be IP based.  Meaning...  you will setup an IPSEC rule to show source and destination IP addresses.  Use MY Address as source and Destination will be the remote IP address.

You will have to open your firewall to allow IPSEC traffic through...



Firewall Ports Needed for IPSEC
________________________________________

Configuring Firewalls to Permit ESP, ISAKMP (IKE), and AH Traffic

When a firewall exists between IPSec peers, as it does in the example, you must configure the firewall to forward IPSec traffic on UDP source and destination port 500, IP protocol 50 (ESP), or IP protocol 51 (AH). First, to permit IPSec traffic on UDP source and destination port 500, use the following settings to create a firewall filter called Permit ISAKMP traffic on UDP port 500:
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = UDP
•      Source port = 500
•      Destination port = 500
To permit IPSec traffic on IP protocol 50 (ESP) or IP protocol 51 (AH), use the following settings to create a firewall filter called Permit IPSec traffic on ESP or AH protocol (50 or 51):
•      Source address = Specific_IP_address
•      Destination address = Specific_IP_address
•      Protocol = 50 or 51


More Information:  http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434e&DisplayLang=en

http://www.microsoft.com/technet/itsolutions/network/ipsec/ipsecfaq.mspx

0
 
LVL 25

Author Comment

by:dstanley9
ID: 17092999
If I implement this policy between the gateway and the remote server, will all traffic between our internal network and the remote be encrypted?  Meaning, can I set this up on the gateway and cover all traffic to.from the remote server, regardless of where it originated?  I don't care if it's encrypted between the internal servers and the remote server, so long as it's encrypted outside of our network.
0
 
LVL 33

Expert Comment

by:NJComputerNetworks
ID: 17093112
you can if you gateway is a windows 200x machine.  
0
 
LVL 25

Author Comment

by:dstanley9
ID: 17101311
OK, I think I have this working, but how do I verify that encryption is being used?  I have policies on both machines to Require Security, but how do I prove to someone that the connection is secure?

0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question