IPsec for Site-to-Site VPN November 2002 Copyright 2002 SofaWare Technologies Inc, All Rights Reserved. Reproduction, adaptation, or translation with prior written permission is prohibited except as allowed under copyright laws.
Introduction Introduction This document explains how to configure Microsoft Windows 2000, Windows 2000 Server, and Windows XP IPsec for the Site-to-Site VPN solutions. Figure 1 shows a sample implementation of this solution, in which a Safe@Office appliance is connected to a Windows machine in a Site-to-Site VPN. Figure 1: Safe@Office to Windows 2000/XP IPsec (Site-to-Site VPN) Scenarios This document provides solutions for the following four scenarios: Windows Gateway to Safe@Office in Unrestricted Mode Traffic is encrypted between the gateways subnets (Network A to Network B). Windows Gateway to Safe@Office in Restricted Mode Traffic is encrypted between the network behind the Windows gateway and the Safe@Office WAN IP address (Network A to Safe@Office external IP). Windows Host to Safe@Office in Unrestricted Mode Traffic is encrypted between the Windows host and the Safe@Office internal network (Windows machine to Network B). Windows Host to Safe@Office in Restricted Mode Traffic is encrypted between the Windows host and the Safe@Office WAN IP address (Windows machine to Safe@Office external IP). Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 1
Note: For all the scenarios above, the configuration of the Windows machine is identical, except for the Filter Properties configuration. For further information, see pages 11 and 16. Important: Both the Safe@ gateway and Windows machine must be configured with a static IP address. DHCP mode in the Windows machine may not work properly. Contacting Technical Support To contact technical support, send an email to: support@sofaware.com Configuring Windows 2000/XP Note: The screens shown below appear in both Windows 2000 and XP. Note: The IP addresses in Figure 1, page 1, appear in the screens below as an example. Important: Additional security software installed on the Windows machine, (for example Check Point SecuRemote), may prevent the tunnel from working properly. To configure Windows 2000/XP for Site-to-Site VPN 1. Create an IP security policy by doing the following: a. Open the Windows Control Panel. b. In the Administrative Tools menu, click Local Security Policy. The Local Security Settings window opens. 2 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
c. Double-click on IP Security Policies On Local Machine. The IP security policies on the local machine are displayed in the right-hand pane. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 3
d. In the Action menu, click Create IP Security Policy. The IP Security Policy Wizard opens with the Welcome to the IP Security Policy wizard dialog box displayed. e. Click Next. The IP Security Policy Name dialog box appears. 4 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
f. In the Name field, enter the policy s name. In the example above, the policy s name is New_Policy. g. Click Next. The Requests for Secure Communication dialog box appears. h. Clear the Activate the default response rule check box. i. Click Next. The Completing the IP Security Policy Wizard dialog box appears. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 5
j. Clear the Edit properties check box. k. Click Finish. The new policy appears in the Local Security Settings window. 2. Double-click on the new policy. The Properties dialog box appears, with the Rules tab displayed. 6 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
3. Clear the Use Add Wizard check box. 4. Click Add. The New Rule Properties dialog box appears, with the IP Filter List tab displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 7
5. Create an A to B IP filter for the security policy, by doing the following: a. Click Add. The IP Filter List dialog box appears. 8 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
b. In the Name field, type A to B. c. Clear the Use Add Wizard check box. d. Click Add. The Filter Properties dialog box appears, with the Addressing tab displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 9
e. Select one of the following filters: 10 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 11
f. Clear the Mirrored check box. g. Click on the Description tab. The Description tab is displayed. h. If desired, in the Description area, type a description of the filter. i. Click OK. The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter appears in the IP Filter Lists area. 12 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
6. Create a B to A IP filter for the security policy, by doing the following: a. Click Add. The IP Filter List dialog box appears. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 13
b. In the Name field, type B to A. c. Clear the Use Add Wizard check box. d. Click Add. The Filter Properties dialog box appears, with the Addressing tab displayed. 14 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
e. Select one of the following filters: Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 15
Windows Gateway to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Unrestricted Mode Windows Host to Safe@Office, Restricted Mode Windows Gateway to Safe@Office, Restricted Mode 16 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
f. Clear the Mirrored check box. g. Click on the Description tab. The Description tab is displayed. h. If desired, in the Description area, type a description of the filter. i. Click OK. The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter appears in the IP Filter Lists area. 7. In the IP Filter Lists area, click A to B. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 17
8. Set the filter action for the A to B IP filter, by doing the following: a. Click the Filter Action tab. The Filter Action tab is displayed. 18 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
b. Clear the Use Add Wizard check box. c. Click Add. The New Filter Action Properties dialog box appears, with the Security Methods tab displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 19
Do the following: 1) Click Negotiate Security. 2) Clear the Accept unsecured communications, but always respond using IPsec check box. 3) Clear the Allow unsecured communications with non IPsec-aware computer check box. 4) Click Add. The New Security Method dialog box appears, with the Security Method tab displayed. 20 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
d. Click Custom. e. Click Settings. The Custom Security Method Settings dialog box appears. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 21
Do the following: 1) Clear the Data and address integrity without encryption (AH) check box. 2) Select the Data integrity and encryption (ESP) check box. 3) From the Integrity Algorithm drop-down list, select SHA1. 4) From Encryption Algorithm drop-down list, select 3DES. 5) In the Session Key Settings area, clear all check boxes. 6) Click OK. The New Filter Action Properties dialog box reappears, with the Security Methods tab displayed. The new security method is listed in the Security Method preference order area. 22 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
f. Click the General tab. The General tab is displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 23
g. In the Name field, type Encrypt. h. Click OK. The New Rule Properties dialog box reappears, with the Filter Action tab displayed. The Encrypt action is listed in the Filter Actions area. 24 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
i. In the Filter Actions area, click Encrypt. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 25
j. Click the Authentication Methods tab. The Authentication Methods tab is displayed. 26 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
k. Click Add. The New Authentication Method Properties dialog box appears, with the Authentication Method tab displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 27
Do the following: 1) Click Use this string to protect the key exchange (preshared key). 2) In the text box, type the preshared key. Note: Use this preshared key as the Preshared Secret password, when you create the tunnel from the Safe@ gateway to the Windows machine. 3) Click OK. The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed. The new authentication method ( Preshared Key ) is listed in the Authentication Method preference order area. 28 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
l. Select Kerberos. m. Click Remove. A confirmation message appears. n. Click Yes. The Kerberos method is deleted from the Authentication Method preference order area. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 29
o. Click on the Tunnel Settings tab. The Tunnel Settings tab is displayed. 30 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
p. Click The tunnel endpoint is specified by this IP Address. q. In the text box, type the Safe@ gateway s IP address. r. Click on the Connection Type tab. The Connection Type tab is displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 31
s. Click All network connections. t. Click Close. 32 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
9. Set the filter action for the B to A IP filter, by doing the following: a. Click Add. The New Rule Properties dialog box appears, with the IP Filter List tab displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 33
b. In the IP Filter Lists area, click B to A. 34 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
c. Click the Filter Action tab. The Filter Action tab is displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 35
d. In the Filter Actions area, click Encrypt. 36 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
e. Click the Authentication Methods tab. The Authentication Methods tab is displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 37
f. Click Add. The New Authentication Method Properties dialog box appears, with the Authentication Method tab displayed. 38 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
Do the following: 1) Click Use this string to protect the key exchange (preshared key). 2) In the text box, type the preshared key. Note: Use this preshared key as the Preshared Secret password, when you create the tunnel from the Safe@ gateway to the Windows machine. 3) Click OK. The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed. The new authentication method ( Preshared Key ) is listed in the Authentication Method preference order area. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 39
g. Select Kerberos. h. Click Remove. A confirmation message appears. i. Click Yes. The Kerberos method is deleted from the Authentication Method preference order area. 40 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
j. Click on the Tunnel Settings tab. The Tunnel Settings tab is displayed. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 41
k. Click The tunnel endpoint is specified by this IP Address. l. In the text box, type the Windows machine s IP address. m. Click on the Connection Type tab. The Connection Type tab is displayed. 42 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
n. Click All network connections. o. Click Close. The Properties dialog box reappears, with the Rules tab displayed. The B to A filter and its action is listed in the IP Security Rules area. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 43
10. Click Close. The Local Area Settings window reappears. 44 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs
11. Right-click on the new IP security policy. Configuring Windows 2000/XP IPsec for Site-to-Site VPNs 45
Configuring the Safe@Office Appliance 12. From the pop-up menu, select Assign. The new security policy is assigned to the network adapter. Configuring the Safe@Office Appliance You must create the VPN profile in Safe@ Office. For instructions, see the SofaWare S-box Getting Started Guide, Adding and Editing VPN Sites using SofaWare Safe@Office, page 102. Note: While creating the VPN profile, you must select Specify Configuration in the VPN Network Configuration dialog box. Topology download is not supported. Note: In Restricted mode, in order to forward encrypted traffic to hosts behind the Safe@ gateway, you must define Virtual Server and/or Allow rules. You must select the VPN Only check box for those rules. 46 Configuring Windows 2000/XP IPsec for Site-to-Site VPNs