Re: IPSec Filter Question

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Michel" <dijkeind@xxxxxxxxx>
• Date: 23 Jul 2006 14:26:04 -0700

---

If the clients from 172.17.88.x needs to access 172.16.8.x they pass
the server at 172.16.8.131 because that should be the way they are
routed... What happens if you allow traffic to 172.16.8.131 together
with 172.16.8.152.

Michel

Chupacabra schreef:

I'm working on a server with 2 nics and trying to implement a fairly simple
IPSec filter.

Nic1 faces the network (172.16.8.131/255.255.248.0)
Nic2 faces a private customer network (172.17.88.2/255.255.255.0) with 2
client PCs with 172.17.88.50 and .51 addresses.

I have created two filters. The first blocks any traffic from a subnet
(172.17.88.0/255.255.255.0) to another subnet (172.16.0.0/255.255.0.0) This
filter works beautifully, I cannot reach anything on the 172.16.x.x network
from the 172.17.88.x subnet PCs

The second filter PERMITS any traffic from the subnet 172.17.88.0 to a
specific IP address of 172.16.8.152.

As the second filter is more specific, I would have expected traffic to be
able to pass to 172.16.8.152 because this filter will be encountered first.
However, I cannot get to 172.16.8.152 no matter what I do from any client
PCs on the 172.17.88.x subnet.

However, if I change the second filter to PERMIT traffic from the subnet
172.17.88.0 to the 172.16.8.0 subnet, I can get to 172.16.8.152 from the
172.17.88.x subnet client PCs just fine.

I just can't figure out why using the more specific filter (PERMIT to only
172.16.8.152) doesn't work, yet a less-specific PERMIT filter (to
172.16.8.0) does work?

I have enabled IPSec event logging, and I am getting nothing there in regard
to these packets being dropped. I have enabled Performance Monitor, and I
see the count of Datagrams Received Discarded go up every time I try to
access the server at 172.16.8.152.

Thanks for any ideas or help on this, it's driving me nuts!

.

---

• Follow-Ups:
  • Re: IPSec Filter Question
    • From: Chupacabra

• References:
  • IPSec Filter Question
    • From: Chupacabra

• Prev by Date: Re: Workstation freezes during logon
• Next by Date: Re: A question about DHCP
• Previous by thread: IPSec Filter Question
• Next by thread: Re: IPSec Filter Question
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: IPSec ... subnet that permits your subnet address and is mirrored. ... I want to permit all computers on ... > a policy that blocks all incoming pc's with one filter and permit my subnet ... > with another filter. ... (microsoft.public.win2000.security) IPSec ... I want to permit all computers on ... my subnet, ... with another filter. ... (microsoft.public.win2000.security) IPSec Filter Question ... I'm working on a server with 2 nics and trying to implement a fairly simple IPSec filter. ... Nic1 faces the network ... The first blocks any traffic from a subnet ... if I change the second filter to PERMIT traffic from the subnet ... (microsoft.public.windows.server.networking) Re: Please help with a serious issue ... does a filter statement on an adotable happen on the client machine or the ... >>User 1 selects customer 1. ... >>server db for all the clients. ... (borland.public.delphi.database.ado) Re: TDI driver event queueing ... filter connections on TDI level. ... Also, I feel that TDI queueing is not very simple task, and it even may not ... S> occurrs) not by the kernel-mode client. ... S> (which is the clients handler). ... (microsoft.public.development.device.drivers)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.networking  > 2006-08