Tunnel mode IPSec in Win2k

From: Ben Hughes (not_at_on.usenet.sorry)
Date: 03/08/04


Date: Mon, 8 Mar 2004 16:32:24 +0000 (UTC)

I'm trying to set up a "client" win2k box to talk to a LAN over ipsec.
Something like this (cue bad ascii diagram)

 win2k box Interweb VPN box outside : inside
10.142.0.2/24 10.171.0.2/24 10.201.0.2/24

so that 10.142.0.2/32 can talk to 10.201.0.0/24, using tunnel mode
pointing at 10.171.0.2

The problem I'm having is nothing leaves the box, looking in event log
I'm getting:

"The IPSec driver failed the oakley negotiation with 10.201.0.2 since no
filter exists to protect packets to that destination..."

Which is a little barmy as the it wouldn't be trying to talk ipsec to it
if there wasn't a filter (which there is), so I'm a little confused.

If anyone has any light they could shed, that'd be fantastic, cheers.

My policy looks like this at present:

IP Security test . . . . . . . . . : Passed
    Local IPSec Policy Active: 'New IP Security Policy'
    IP Security Policy Path: SOFTWARE\Policies\Microsoft\Windows\IPSec\
Policy\Lo
cal\ipsecPolicy{24C0DBF1-D043-43F7-B2B3-6D6EE0B18412}

    There are 2 filters
    No Name
     Filter Id: {B505B39E-81EA-4CAA-9214-607ABC72F4EA}
     Policy Id: {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
        IPSEC_POLICY PolicyId = {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
                Flags: 0x0
                Tunnel Addr: 0.0.0.0
        PHASE 2 OFFERS Count = 1
                Offer #0:
        ESP[ DES MD5 HMAC]
        Rekey: 0 seconds / 0 bytes.
        AUTHENTICATION INFO Count = 1
                Method = Preshared key: cake
     Src Addr : 10.142.0.2 Src Mask : 255.255.255.255
     Dest Addr : 10.201.0.0 Dest Mask : 255.255.255.0
     Tunnel Addr : 10.171.0.2 Src Port : 0 Dest Port : 0
     Protocol : 0 TunnelFilter: Yes
     Flags : Outbound
    No Name
     Filter Id: {31362036-20E7-4F92-AA39-48A9D1919428}
     Policy Id: {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
        IPSEC_POLICY PolicyId = {C48B5875-9F73-40E3-AA0D-3A75F4D7FBF9}
                Flags: 0x0
                Tunnel Addr: 0.0.0.0
        PHASE 2 OFFERS Count = 1
                Offer #0:
        ESP[ DES MD5 HMAC]
        Rekey: 0 seconds / 0 bytes.
        AUTHENTICATION INFO Count = 1
                Method = Preshared key: cake
     Src Addr : 10.201.0.0 Src Mask : 255.255.255.0
     Dest Addr : 10.142.0.2 Dest Mask : 255.255.255.255
     Tunnel Addr : 10.171.0.2 Src Port : 0 Dest Port : 0
     Protocol : 0 TunnelFilter: Yes
     Flags : Outbound

The command completed successfully

-- 
Ben Hughes.


Relevant Pages

  • Re: Kerberos Question
    ... However if you use ipsec negotiation within the domain by ... default kerberos computer authentication will be used and required. ... >> Security Policy and Domain Controller Security Policy and disable storage ...
    (microsoft.public.windows.server.security)
  • IP Security Policy was: Re: Simple software firewalls for Windows 2000 Server
    ... > I know about IPSec and am using it. ... Speaking of IP Security Policy, ... (There's a theorem in formal logic that if you have an axiom that "the more ... What I *like* about IP Security Policy is that very specific rules can be ...
    (comp.security.firewalls)
  • Re: The art of negotiation and trust in IPSEC
    ... To clarify, if I have two machines that are not members of any Domain, and they have IPSEC enabled via a the security policy - so will the machines be able to talk IPSEC with each other? ... machine certificates in an AD domain if you have an Enterprise Certificate ... >> I guess it comes down to trust, ...
    (microsoft.public.win2000.security)
  • Re: IPSec
    ... > What service/component provides it? ... One may most conveniently use IPsec via the two upper ... Local Security Policy. ... >> The Windows IPsec does implement the IPsec protocols. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Problem with IPSEC
    ... It is not unusual not to be able to access a website by entering the IP ... troubleshooting ipsec rules. ... protocol:TCP, and filter action permit. ... I have tried other web sites too and couldn't connect with the IPSEC ...
    (microsoft.public.windows.server.security)