Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

WIndows 2008 and ipsec

Posted on 2008-10-02
5
Medium Priority
?
756 Views
Last Modified: 2011-10-19
Hello everybody,
in my lab network i would llike to test ipsec  to encrypt a telnet session between a workstation and server both in the same domain. Since I am new with Windows server 2008 I am little bit puzzled on how to configure an ipsec rule or better connection security rules.
below are the detail about my lab network
1 DC windows server 2008 sp1
1 Member server Windows 2008 sp1 (the telnet server)
1 workstation member Windows XP SP2 (the telnet client)
so my question is it possible to use telnet with ipsec between an xp client and server running windows 2008; if so what are the steps to be taken?
Thanks in advance for your help
Leonardo
0
Comment
Question by:leobis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22632554
Well, you have a number of choices.

IPSec is indeed native to windows these days, and a site-to-site can be set up quite simply. Decent guide here:

http://www.enterprisenetworkingplanet.com/netsecur/article.php/3489911

you can also use pptp for the same purpose.

However, if all you want is encrypted telnet, then you might want to consider using openssh instead - that's encrypted telnet, plus some file transfer capabilities.

http://sshwindows.sourceforge.net/

this is much simpler, and you can use any ssh client (such as putty) or scp/sftp client (such as winscp or filezilla) along with either normal windows usernames/passwords or if you wish, rsa certificates.
0
 

Author Comment

by:leobis
ID: 22632684
Hi Dave,
and thanks for your reply, but the reason why I am trying to confgiure a windows xp sp3 to use ipsec communictions in a Windows server 2008 scenary is for a better understanding of the new windows firewall rules and the connections security rules.
So far I have succeeded in making ipsec connections between a Vista and windows 2008 server but I am still experiencing some problems between xp pro sp3 and windows 2008 server.
Anyhow thanks again for your reply
Leonardo
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22633635
are you getting any errors in the logs while establishing the tunnel?
0
 

Accepted Solution

by:
leobis earned 0 total points
ID: 22641602
Hi Dave,
and sorry for late answer but I was not at my place yesterday; today Itried  again and it seems be working. I changed the filter list in the ipsec of the Windows xp sp3 as follows:
protocol        source port        dest port
tcp                 any                       23               (did not work)
any                 any                      any              (now it WORKS!!)

Actually it seems the firewall rule(s) applied in the windows 2008 server acts as the ipsec filter (despite the fact that any protocol any protocols is enabled in the windows xp sp2 telnet client)
I noticed this behavior on monitoring the telnet sessions from the Windows xp sp3 and Vista domain member ( see enclosed the jpg snapshot taken in the windows server 2008) .... anyway this is only my assumption; if you feel like testing in your lab network  please let me know your comments

in the snapshot is reported the moniriting quick mode session from the telnet server
192.168.10.17 is the windows xp sp3
192.168.10.18 is the windows vista
have a nice weekend
Leonardo
ipsec.JPG
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 22641667
its possible that the firewall rules are being performed on egress, rather than on the decrypted traffic - so you would need to permit ipsec packets, not tcp/23 (telnet)

this is udp port 500 (aka IKE) and IP protocol 50 (ESP) - note however that ESP is an IP protocol at the same level as tcp or udp, not a port within either of those protocols; this can be awkward to specify in firewalls. with many, your only recourse is to specifically block icmp, tcp and udp, (all any->any) then allow "any" as a protocol.

0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question