• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 517
  • Last Modified:

IPSec Policy Not Working Properly

I have a small business workgroup with seven systems all running XP Pro.  I've created an IPSec policy on one system that's supposed to block any traffic from four other systems based on IP address.  The policy blocks traffic for all but one of the systems.  Enabling/Disabling the Default Response Rule has no effect.  The renegade system has only one LAN connection and all systems are plugged into the same switch.  Is there a setting that overrides IPSec and allows traffic despite the rule?  Thank you.
0
ottodoc
Asked:
ottodoc
  • 2
  • 2
2 Solutions
 
LanBuddhaCommented:
Can you list your rules out in order that they appear?

If you have a rule that has a permit before the deny then that rule will take precedence.

IPSec on Windows does not have an explicit deny at the end of the rules so if no rule matches then the traffic is permitted.

Are we just talking about pings or what other traffic is getting through. There are some standard rules for ICMP.
0
 
ottodocAuthor Commented:
There is only one rule in effect for the policy in question (Default Response is not enabled).  The rule is comprised of an IP Filter List that contains the source IP Addresses of the systems that should not have access (all filters have Protocol set to "Any") and a Filter Action of Block.  The Connection Type is All Network Connections.  Tunnel Settings and Authentication Methods do not apply.  My main concern is that the system that should be blocked can access the secure system (and all its shared files) thru "My Network Places".  Thanks in advance for your help.
0
 
Rich RumbleSecurity SamuraiCommented:
Have a look at this to see if it applies to that workstation: (but I think your issue is opposite)
http://technet2.microsoft.com/WindowsServer/en/library/0e79765c-beb2-4e5e-8a74-ea7d07598f821033.mspx?mfr=true

There are limitations to IPSec, port 500 and port 88 are allowed by default even if explicitly denied, in XP SP2 and 2003 you can change this behavior with some registry changes, but by default dst/src port 88 and 500 are exempt from IPSec rules. You can use a tool like Nmap to bind to a src port, and when it scan's an IPSec filter, it gets right through.
nmap -sT -P0 -T5 -g 88 server_name    or  nmap -sT -P0 -T5 -g 500 ip.ip.ip.ip
http://support.microsoft.com/kb/810207 http://support.microsoft.com/kb/811832 http://support.microsoft.com/kb/253169/EN-US/
Broadcasts are also exempt from IPSec filters, so DHCP can function, other broadcasts like netbios still work also, so you can still use "net send" to send little pop-ups

Also IPSec doesn't have an order of operation like most firewalls, it does have a "deny any any" and looks to see matches before applying it, but the order of deny vs allow in your own rules doesn't come into play, please read here: http://www.microsoft.com/technet/community/columns/cableguy/cg0205.mspx
However there are "weights" based on how specific a rule is: http://www.microsoft.com/technet/community/columns/cableguy/cg0205.mspx#EVG

I don't like IPSec filters any more, they are far harder than any firewall I've ever used to configure and they do have confusing and strange restraints. I'd use a personal firewall such as XP/2003, ZoneAlarm etc... instead.
-rich
0
 
LanBuddhaCommented:
I don't want to hijack this question but I can not find anywhere that it is stated that there is a default "deny any any" on IPsec, I just want to clarify my statement. This article I think explains how I was trying to state it:

http://support.microsoft.com/default.aspx/kb/313190

How to Create an IPSec Policy That Is Based on the Filter List
To create an IPSec policy that is based on the filter list:
1. Right-click IP Security Policies in the left pane, and then click Create IP Security Policy.
2. In the Welcome to the IP Security Policy Wizard, click Next.
3. In the IP Security Policy Name dialog box, type Permit Inbound TCP 80 and 25 in the Name box, and then click Next.
4. Click to clear the Activate the default response rule check box, and then click Next.
5. In the Completing the IP Security Policy Wizard dialog box, click to select the Edit properties check box if it is not already selected, and then click Finish.
6. Click the Rules tab.
7. Click to clear the Use Add Wizard check box, and then click Add.
8. Click the IP Filter List tab.
9. Click Option that is to the left of Inbound TCP 80 and 25 IP Filter List.
10. Click the Filter Action tab.
11. Click Option that is to the left of Permit.
12. Click Apply, and then click OK.
13. The Inbound TCP 80 and 25 Filter List check box is selected. Click Close.
The IPSec policy checks for packets that are destined for TCP port 80 and TCP port 25 on the local interface, and then matches those packets to the Permit filter action, which allows the packets through the interface.

NOTE: If you assign this policy, all traffic is allowed because there is no Deny rule that prevents other traffic. If you want to only allow traffic that you specified in the above policy, you must create a Deny rule that denies all traffic.

(bowing gracefully to Master Rich)
0
 
Rich RumbleSecurity SamuraiCommented:
Your correct, there is no deny any any by default, that is my mistake.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now