Following is a procedure to establish IP Security (IPSec) between two Windows Server hosts, one running Server 2003 and the other running 2000 Server. The 2000 Server host is configured to match the more robust default security parameters of Server 2003, while the Server 2003 host is left mostly in a default state. SHA1 is the specified integrity algorithm while packet data is encrypted using 3DES. Both servers require all IP communication between them, but only them, be authentic and encrypted. Traffic from all other sources is not affected by IPSec.
Part I - Configure Windows 2000 Server
1. Create a Consolestart > in the run line, type 'mmc' >
OK >
In the Console1 window, click 'Console' > Add/Remove Snap-in... >
Add... > select 'IP Security Policy Management' >
Add > check next to 'Local Computer' >
Finish >
Close >
OK >
2. Create a New IP Security Policy
right click on 'IP Security Policies on Local Machine' > Create IP Security Policy >
Next >
Next > uncheck 'Activate the default response rule.' >
Next > check 'Edit properties' >
Finish > check 'Use Add Wizard' >
Add... >
Next > check 'This rule does not specify a tunnel' >
Next > check 'All network connections' >
Next > check 'Use this string to protect the key exchange (preshared key):' > choose a password and type it in the following field >
Next >
3. Create a New IP Filter List for this Security Policy
Add... >
check 'Use Add Wizard' > Add... >
Next > select 'My IP Address' from 'Source address:' list >
Next > select 'A specific IP Address' from 'Destination address:' list > type SERVER1's IP address in the following field >
Next > select 'Any' from 'Select a protocol type:' list >
Next > uncheck 'Edit Properties' >
Finish >
Close > select the 'IP Filter List' you just made >
Next > check 'Use Add Wizard' >
4. Create a New Filter Action for this Security Policy
Add... >
Next >
Next > check 'Negotiate security' >
Next > check 'Do not communicate with computers that do not support IPSec.' >
Next > check 'Custom' > Settings... >
check 'Data integrity and encryption (ESP):' > select 'SHA1' from 'Integrity algorithm:' list > select '3DES' from 'Encryption algorithm:' list >
OK >
Next >
Finish > select the Filter Action you just made >
Next > uncheck 'Edit Properties' >
Finish >
Close >
right click the IP Security Policy you just made > Assign >
...and you're done.
5. Test the Configuration
If you're pinging SERVER1 when the security association comes up, you'll see this:
However, you won't see these replies until both ends are configured. The pings will change from 'Negotiating IP Security' to 'Reply from ...' only after finishing the configuration on SERVER1, the Server 2003 host described in the next section of this document.
Use the built-in IP Security Monitor to verify a successful security association.
Start > type 'ipsecmon' >
OK >
This association will appear only after both ends are configured, both the Windows 2000 Server host discussed above and the Server 2003 host described below.
Part II - Configure Windows Server 2003
1. Create a ConsoleStart > Run > type 'mmc' >
OK >
In the Console1 window, click 'File' > Add/Remove Snap-in... >
Add... > select 'IP Security Monitor' >
Add > select 'IP Security Policy Management' >
Add > select 'Local Computer' >
Finish >
Close >
OK >
2. Create a New IP Security Policy
right click on 'IP Security Policies on Local Machine' > select 'Create IP Security Policy' >
Next >
Next > uncheck 'Activate the default response rule.' >
Next > check 'Edit properties' >
Finish > check 'Use Add Wizard' >
Add... >
Next > check 'This rule does not specify a tunnel' >
Next > check 'All network connections' >
Next >
3. Create a New IP Filter List for this Security Policy.
Add... > check 'Use Add Wizard' >
Add... >
Next > check 'Mirrored. Match packets with the exact opposite source and destination addresses.' >
Next > select 'My IP Address' from 'Source address:' list >
Next > select 'A specific IP Address' from 'Destination address:' list > type SERVER2's IP address in the following field >
Next > select 'Any' from 'Select a protocol type:' list >
Next > uncheck 'Edit properties' >
Finish >
OK > select the 'IP Filter List' you just made >
Next > select 'Use Add Wizard' >
4. Create a New Filter Action for this Security Policy
Add... >
Next >
Next > check 'Negotiate security' >
Next > check 'Do not communicate with computers that do not support IPSec.' >
Next > check 'Custom' >
Settings... > check 'Data integrity and encryption (ESP):' > select 'SHA1' from 'Integrity algorithm:' list > select '3DES' from Encryption algorithm:' list >
OK >
OK >
Next > uncheck 'Edit properties' >
Finish > select the Filter Action you just made >
Next > select 'Use this string to protect the key exchange (preshared key):' > choose a password and type it in the following field >
Next > uncheck 'Edit properties' >
Finish >
OK >
right click the IP Security Policy you just made > Assign >
...and you're done.
5. Test the Configuration
You already set up SERVER2 so completing this configuration on SERVER1 will complete both ends of the security association. If you are pinging SERVER2 from SERVER1 as this association comes up, you will see this:
A successful association should be indicated under the 'IP Security Monitor' node.
see also:
No comments:
Post a Comment