Step 7: configure Windows 2000 client

Step 7: configure Windows 2000 client
Prev	Chapter 17. IPSec configuration	Next

Configuring Windows to do this same thing is much harder. I would say that until you have done it properly once, it borders on black magic. Even if you have done it properly once, if the configuration is even slightly different and you didn't take the time to really understand it the first time, you are in for another rough ride. The way your mouse finger feels after clicking your way through the dialogs for this configuration is just another symbol of how most complicated things are easier and more user friendly in Linux.

It helps to have a custom "management console" when you're dealing with ipsec. You can put this on the desktop or someplace else convenient, and save your mouse finger from exhaustion clicking through menus to find things. Use the following steps:

Start - Run - mmc Console - Add/Remove Snap-in Add - Certificates Add - Computer Account - Local Computer - Finish Add - IP Security Policy Management Add - Local Computer - Finish - Close - OK Console - Save - <wherever you want to put it>

You can just double click on the icon this creates to open the custom console from now on.

In order to configure Windows 2000, there are several basic entities that you must understand. It is easy to get lost in all the clicky-clicky:

	IP Security Rules                - the highest level of granularity.
	                                   IP Security Rules are composed of:
		an IP Filter List        - which packets match the rule?  An
		                           IP Filter list is composed of:
			Filters          - traditional ip address, subnet mask,
					   protocol or port filtering, like
					   ipchains
		a Filter Action          - what do we want to do with those
					   packets? Encrypt? Sign?  A Filter
					   Action is composed of:
			Security Methods - Different negotiable combinations of
					   signing and encrypting.  FreeS/WAN
					   works in ESP mode with 3DES
					   encryption and MD5 signing.  This is
					   a custom setting in Windows.
		Authentication Methods   - how do we authenticate the players?
					   Windows can do Kerberos, x.509
					   certificates from a CA (that can be
					   you!) or preshared keys
		a Tunnel Setting         - is this a tunnel?  what is the
		                           endpoint IP Address?
		a Connection Type        - does this IP Security Rule apply to
					   all network connections, or just lan
					   or dialup connections?

Also, for Windows 2000, you must have the Service Pack 2. It will not do the required 3DES encryption without it. You can get it from:

http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/sp2lang.asp

Pretty hairy. For what I wanted to do (tunnel mode ESP with MD5 signing and preshared key authentication) I had to set up two rules, one for inbound traffic specifying the Windows client IP address as the endpoint of the tunnel, and one for outbound traffic specifying the router as the endpoint of the tunnel. I did not want to have to know the IP address of the client, since I want to use DHCP to deliver these addresses, but I haven't worked a way around it yet. Maybe if some Windows people are reading this they can drop a line...

Configure the Windows 2000 client

	a) run the custom mmc console you just made
	b) click on ipsec security policies in left pane
	c) action - create IP security policy
	d) next, choose name (Win2k to FreeS/WAN), uncheck default response
	   rule, check edit properties, finish
	e) add IP security rule to grab outbound traffic and tunnel it to
	   FreeS/WAN using 3DES and MD5
	f) next, enter tunnel endpoint (<router IP Address>), lan connection,
	   preshared key(<your preshared key>)
	g) add both ip filter lists for inbound and outbound traffic, then you
	   can just click on inbound traffic when you're defining that security
	   rule
	h) add ip filter list, name: "outbound traffic", add filter
	i) next, src: my ip address, dest: any ip address, any proto, finish
		note: My setup is made to tunnel ALL ip traffic through my
		router.  If you are just tunneling traffic to one subnet, you
		should specify that here with the network address and subnet
		mask
	j) add another filter list, name "inbound traffic", add filter
	k) next, src: any ip address, dest: my ip address, any proto, finish, close
		note: see note above
	l) select the "outbound traffic" filter list, next
	m) add filter action to encrypt and authenticate with freeswan (3DES and MD5)
	n) next, name "freeswan compatible", negotiate, do not communicate
	   non-ipsec, custom (ESP, MD5, 3DES), edit properties, finish
	o) uncheck allow unsecured but always respond..., check perfect forward
	   security, OK
	p) select the "freeswan compatible" filter action
	q) uncheck edit properties, finish

	The next one is easier, because you have already defined the filter
	lists and filter action during the previous wizards, so you can just
	select them to apply them to the inbound traffic IP Security Rule.
	I'll go through this quickly, but just hit next or okay if I've skipped
	a step.

	r) add another IP security rule
	s) next, tunnel endpoint (<client IP Address>) lan connection,
	   preshared key (<your preshared key>), inbound traffic, freeswan
	   compatible, finish
	t) general tab, advanced, check master key perfect forward security,
	   close, close

You should be done. Right click the "Win2k to FreeS/WAN" IP Security Policy and click assign in the context menu. Bring up a DOS window. Ping your router. If everything is correct, you will get "Negotiating IP Security." as the response to the first four pings, then should be pinging clear after that.

If not, double click on the "Win2k to FreeS/WAN" IP Security Policy to reenter configuration dialogs. You will see the two IP Security Rules you just created. Double click on one of them to check the configuration.

You will see five tabs at the top of the dialog corresponding to the items described at the beginning of this section. First check the "outbound traffic" filter list, then the "inbound traffic" filter list. Double click on them to enter the configuration dialog, then double click the Filter. Do they have the right source and destination addresses? Remember, this will match packets similar to the way ipchains rules do, so if the rule doesn't match properly, then you will not "forward" the packet to the Filter Action, and it will not get encrypted properly.

If the Filter Lists are both okay, move on to the Filter Action. We have the same Filter Action for both IP Security Rules, so we just have to make sure that it says to negotiate security with ESP, 3DES and MD5. We should also ensure again that "Accept unsecured communication..." and "Allow unsecured communication..." are unchecked, 'cause those are not going to accomplish what we are trying to get, and that "Session key Perfect Forward Secrecy" is checked.

Check the Authentication Method to make sure that the shared key is exactly the same as the ipsec.conf file and that there is not a carriage return at the end.

Check the tunnel setting and make sure that the tunnel endpoint is the router ip address for the "outbound traffic" Filter List and the ip address of the Windows 2000 Client for the "inbound traffic" list.

The Connection Type should be LAN only. We don't want to inadvertently try to encrypt our dialup sessions, do we?

If any of these things was wrong, you will have to restart the IPSEC Policy Agent service by clicking Start - Control Panel - Services, right clicking on the service and clicking Restart.

Prev	Up	Next
Step 6: configure Shorewall	Home	Chapter 18. Monitoring Bering through a terminal console