Solved

WIndows 2008 and ipsec

Posted on 2008-10-02
5
710 Views
Last Modified: 2011-10-19
Hello everybody,
in my lab network i would llike to test ipsec  to encrypt a telnet session between a workstation and server both in the same domain. Since I am new with Windows server 2008 I am little bit puzzled on how to configure an ipsec rule or better connection security rules.
below are the detail about my lab network
1 DC windows server 2008 sp1
1 Member server Windows 2008 sp1 (the telnet server)
1 workstation member Windows XP SP2 (the telnet client)
so my question is it possible to use telnet with ipsec between an xp client and server running windows 2008; if so what are the steps to be taken?
Thanks in advance for your help
Leonardo
0
Comment
Question by:leobis
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22632554
Well, you have a number of choices.

IPSec is indeed native to windows these days, and a site-to-site can be set up quite simply. Decent guide here:

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3489911

you can also use pptp for the same purpose.

However, if all you want is encrypted telnet, then you might want to consider using openssh instead - that's encrypted telnet, plus some file transfer capabilities.

http://sshwindows.sourceforge.net/

this is much simpler, and you can use any ssh client (such as putty) or scp/sftp client (such as winscp or filezilla) along with either normal windows usernames/passwords or if you wish, rsa certificates.
0
 

Author Comment

by:leobis
ID: 22632684
Hi Dave,
and thanks for your reply, but the reason why I am trying to confgiure a windows xp sp3 to use ipsec communictions in a Windows server 2008 scenary is for a better understanding of the new windows firewall rules and the connections security rules.
So far I have succeeded in making ipsec connections between a Vista and windows 2008 server but I am still experiencing some problems between xp pro sp3 and windows 2008 server.
Anyhow thanks again for your reply
Leonardo
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22633635
are you getting any errors in the logs while establishing the tunnel?
0
 

Accepted Solution

by:
leobis earned 0 total points
ID: 22641602
Hi Dave,
and sorry for late answer but I was not at my place yesterday; today Itried  again and it seems be working. I changed the filter list in the ipsec of the Windows xp sp3 as follows:
protocol        source port        dest port
tcp                 any                       23               (did not work)
any                 any                      any              (now it WORKS!!)

Actually it seems the firewall rule(s) applied in the windows 2008 server acts as the ipsec filter (despite the fact that any protocol any protocols is enabled in the windows xp sp2 telnet client)
I noticed this behavior on monitoring the telnet sessions from the Windows xp sp3 and Vista domain member ( see enclosed the jpg snapshot taken in the windows server 2008) .... anyway this is only my assumption; if you feel like testing in your lab network  please let me know your comments

in the snapshot is reported the moniriting quick mode session from the telnet server
192.168.10.17 is the windows xp sp3
192.168.10.18 is the windows vista
have a nice weekend
Leonardo
ipsec.JPG
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22641667
its possible that the firewall rules are being performed on egress, rather than on the decrypted traffic - so you would need to permit ipsec packets, not tcp/23 (telnet)

this is udp port 500 (aka IKE) and IP protocol 50 (ESP) - note however that ESP is an IP protocol at the same level as tcp or udp, not a port within either of those protocols; this can be awkward to specify in firewalls. with many, your only recourse is to specifically block icmp, tcp and udp, (all any->any) then allow "any" as a protocol.

0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now