IPSec is a network layer protocol.
Transport Mode--end to end protection
In transport mode, AH (Authentication Header) and ESP (Encapsulating Security Payload) protect the transport header. When the packets flow from the transport layer into network layer, AH and ESP intercept them.
Using AH only,
| IP Header | AH Header | TCP Payload |
Using ESP only,
| IP Header | ESP Header | TCP Payload |
Using both AH and ESP,
| IP Header | AH Header | ESP Header | TCP Payload |
Configuring the IPSec Policy with Security Methods as follows:
As seen, both AH and ESP provide the Integrity function.
Integrity method: SHA1 and MD5
Confidential method: DES and 3DES
IPSec policy can apply to different protocols (UDP or TCP) and different port numbers, such as 80, 22, etc. IPSec policy can apply to Windows 2000 or later.
However, connection security rule can apply to Vista or later. Connection Security Rules can only apply to IP address.
Don't assign the Secure Security policy lightly!!!
I have to stop the IPSec Policy Agent on PC1 and iMac-PC and run gpupdate /force.
All the three predefined IPSec policies (Client, Secure Security, Server) have the source and destination addresses set to ANY. PC1 communicates to Domain Controller has to have IPSec, too.
It's better to use the SERVER (Request Security). It's even better to limit the source and the destination to these two computers.
Windows Firewall--Connection Security Rules
To use Connection Security Rules, the Windows Firewall must turn on.
In a domain environment, I export the security settings on the domain controller and then import them into GPO.
Administrative Tools--Windows Firewall with Advanced Security--Export Policy
The Remote Desktop is enabled on all domain computers.
Create a Connection Security Rules in Default Domain Policy
Default Authentication Method is the computer Kerberos (Kerberos version 5 authentication).
iMac1-PC is not a member of domain. Computer Kerberos authentication cannot be used. I create a exemption rule for iMac1-PC to communicate with W2008.
After you implement the IPSec policy, the logon process takes too long.
Create an organization OU:IPSec OU and move iMAC2-PC and PC1 under it
Create a GPO object in Group Policy Management Console and link it to IPSec OU
For the point-to-point IPSec configuration, "Request inbound and outbound", "Require inbound and request outbound", and "Require inbound and outbound" have the same effect.
How about both End 1 and End 2 are set to ANY?
Communication between computers has no problem except the computers with the IPSec policy applied use the ESP authentication.
If "Require inbound and Request outbound" is selected, computer Vista1 cannot access the shared folder of iMac2-PC because Vista1 does not have the IPSec policy applied.
If "Require inbound and Require outbound" is selected, both computers: iMac2-PC and PC1 cannot communicate with the remaining network. To get the new updated policy settings for these two computers, you must stop the Windows Firewall service on iMac2-PC and PC1. After running GPUPDATE /force, restart the Windows Firewall service.
By default, Connection Security Rules provide Integrity only. You can configure it to encrypt the communication.
