IPSec Policy Doesn't Really Block

From: Joseph Melika (jmelika_at_hotmail.com)
Date: 08/30/04 

Date: Mon, 30 Aug 2004 16:54:45 -0700

I am having an issue with IPSec. I simply have a server sitting at a co-lo.
It is serving on prts 80, 443, 5274, and 6667. I need to open those ports
to the public but blocking everything else. I also need to permit the
server to be able to talk to its neighboring computers, as well as some
computers at a different subnet with no restrictions.

Here is a list of IPSECPOL.exe commands I am using to create the policy.
Please be aware of the possible word wrap.

=========
ipsecpol -w REG -p "Policy" -r "Local Site" -f
x.x.x.0/255.255.255.0+x.x.x.x:* -f x.x.x.x+x.x.x.0/255.255.255.0:* -n PASS
ipsecpol -w REG -p "Policy" -r "Remote Sites" -f
192.215.60.0/255.255.255.0+x.x.x.x:* -f
206.16.86.0/255.255.255.240+x.x.x.x:* -f
206.16.76.32/255.255.255.240+x.x.x.x:* -f 192.215.11.11+x.x.x.x:* -f
192.215.5.16+x.x.x.x:* -n PASS
ipsecpol -w REG -p "Policy" -r "Applications Ports" -f *+x.x.x.x:5274 -f
*+x.x.x.x:6667:TCP -f *+x.x.x.x:80:TCP -f *+x.x.x.x:443:TCP -n PASS
ipsecpol -w REG -p "Policy" -r "Block Everything Else" -f *=x.x.x.x:*:* -n
BLOCK
==========

x.x.x.x stands for the server's IP address, while x.x.x.0 stands for the 24
bit subnet it's on.

Now the issue is that when I create this policy and assign it, I am still
able to connect to the server from home using Terminal Services. My home PC
is not on any of the subnets listed above. How come the IPSec Policy
doesn't work? I can do a netdiag /test:ipsec and I do see the policy
applied. It just doesn't seem to be doing its job.

One thing is that I did notice that the PASS and BLOCK did not actually use
the existing filter action "Permit" and "Block". Each of those commands
created its own filter action with the same name as the filter itself, i.e.
Local Site. I even tried going to the UI and change the action to Block or
Permit and restarted IPSec Policy agent, but still didn't work.

Has anyone been able to get IPSec to work properly? Can someone give me any
advice on this?

I appreciate it guys!

Joseph Melika

Relevant Pages

  • Re: Securing the communication between all workstations in a domain
    ... I am no expert at Ipsec. ... I would try using the server (request ... security) policy in that OU - the secure policy is rather extreme and can ... exempt the domain controllers from ipsec traffic - a request policy may work ...
    (microsoft.public.win2000.security)
  • IPSec Policy Doesnt Really Block
    ... I am having an issue with IPSec. ... I simply have a server sitting at a co-lo. ... Here is a list of IPSECPOL.exe commands I am using to create the policy. ... created its own filter action with the same name as the filter itself, ...
    (microsoft.public.win2000.security)
  • Re: Require connecting systems to be a Domain Computers
    ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
    (microsoft.public.security)
  • Re: lan ipsec ws2003 / xp pro deplyoyment
    ... Remote Access on the server and configure it and then configure your XP computer to ... preshared key for machine authentication. ... If you use ipsec pre shared key [policy/all ... You could go to Local Security Policy of each ...
    (microsoft.public.windowsxp.security_admin)
  • Re: IPSEC Problems
    ... You may want to try and rebuild the ipsec policy. ... ipsec negotiation traffic between domain members and domain controllers as ... > this server and any communication was shown correctly in ipsecmon. ...
    (microsoft.public.windows.server.security)