How to configure IPSec on Windows 20008 - Example and detailed steps

Some people asked me of how to use IPSec with Windows 2008, well the IPSec has changed compared to Windows 2003 and XP, well that changed a little bit, since we now manage from another console (plus the Windows Advanced Firewall). To begin with this let’s say that you have the Machine "A", and want to use IPSec for the communication that is between port 3389, we will use the ‘non recommended procedure’, but the good thing is that you can configure this very quickly and test it in your non production environment. So let’s begin:

1. Create an IPsec Negotiation policy on Computer "A"

1.　　　 On Computer "A", click Start, click All Programs, clickAdministrative Tools, and then click Local Security Policy.

2.　　　 Right-click the IP Security Policies on Local Computer node, and then click Create IP Security Policy.

3.  　　 On the Welcome screen of the IP Security Policy Wizard, clickNext.

4.　　　 In the Name box, type Secure3389. In the Description field, type Policy to encrypt SMB, and then click Next.

5.  　　 If you will NOT have in your environment machines earlier than Windows Vista then ensure that Activate the default response ruleis not selected and go to step 7, and then click Next.

6.　　　 In the Default Response Rule Authentication Method, choose the option: Use this string to protect the key exchange (preshared key): and type $ecrET

7.  　　 In the Completing the IP Security Policy Wizard dialog box, ensure that Edit properties is selected, and then click Finish.

8.　　　 In the Secure3389 Properties dialog box, click Add.

9.  　　 In the Welcome to the Create IP Security Rule Wizard, clickNext.

10.            In the Tunnel EndPoint dialog box, click This rule does not specify a tunnel. Click Next.

11.      In the Network Type dialog box, click All network connections, and then click Next.

12.            In the IP Filter List dialog box, click Add.

13.      A new dialog box called IP Filter List appears. TypeSecure3389TCP, and then Add.

14.            On the Welcome screen of the IP Filter Wizard, click Next.

15.      In the Description text box, type 3389 IPsec Filter. ClickNext.

16.            In the IP Traffic Source dialog box, click Any IP Address, and then click Next.

17.      In the IP Traffic Destination dialog box, click Any IP Address, and then click Next.

18.            In the IP Protocol Type dialog box, click TCP in the drop-down list, and then click Next.

19.      In the Protocol Port dialog box, select From this port, type3389 in the text box, select To Any port, and then click Next.

20.            On the Completing the IP Filter Wizard screen, clickFinish, and then click OK.

21.      In the IP Filter list, select Secure3389TCP, and then clickNext.

22.            In the Filter Action dialog box, click Add.

23.      In the Filter Action Wizard dialog box, click Next.

24.            In the Filter Action Name dialog box, typeSecure3389Filter, and then click Next.

25.      In the Filter Action General Options dialog box, selectNegotiate Security, and then click Next.

26.            In the Communicating with computers that do not support IPsec dialog box, select Do not allow unsecured communications, and then click Next.

27.      In the IP Traffic Security dialog box, select Integrity and encryption, and then click Next.

28.           On the Completing the IP Security Filter Action Wizardscreen, click Finish.

29.      In the Filter Action dialog box, select Secure3389Filter, and then click Next.

30.            In the Authentication Method dialog box, select Use this string to protect the key exchange (preshared key), type $ecrETand then click Next.

31.      On the Completing the Security Rule Wizard screen, clickFinish.

32.             In the Secure3389 Properties dialog box, click OK.

Task 2: Assign the Policy

Since you already have the policy created this is still not active until you activate it, so to do it, you need to:

1.　　　 On Computer "A", click Start, click All Programs, clickAdministrative Tools, and then click Local Security Policy.

2.　　　 Go to the IP Security Policies on Local Computer node and in the right pane right click the Secure3389 Policy and selectAssign.

You are done!, you configure IPSec under the 3389 port, now let’s see how you need to configure the clients in order to be able to communicate between them.

Windows Vista or Machine "B"

In Windows Vista client, the process is similar to the one that I presented before, so you can execute the steps 1 trough 32 and then you will be able to connect, or you can export the policy from windows 2008 and import it on Windows Vista, with this procedure:

1.　　　 In the Local Security Policy Microsoft Management Console (MMC) console, right-click IP Security Policies on Local Computer, click All Tasks, and then click Export Policies.

2.　　　 In the Save As dialog box, typeC:\IPSecPolicy\IPsecurityPolicy3389.ipsec, and then click Save. (and then save that ipsec policy on a USB key)

Import the security policy to Windows Vista machine (Machine "B"):

1.　　　 On Windows Vista machine, open the local security policy. To do this, click Start, click the Start Search dialog, and then type: gpedit.msc.

2.　　　 Navigate to Computer Configuration  Windows Settings  IP Security Policies on Local Computer.

3.　　　 Right-click IP Security Policies on Local Computer, click All Tasks, and then click Import Policies.

4.  　　 Is good to Read the IP Security Import warning, after that click Yes.

5.　　　 In the Open dialog box, navigate to the USB key (where you should have the file), and then double-clickIPsecurityPolicy3389.ipsec.

We finish!, of course if you have access (in a LAN) to the file you can share in a directory and copy more easily.

Now you can try, and have the 3389 communication protected under IPSec!

Another thing is the enforcement, for that you need to use the Advanced Windows Firewall and configure a Security Association with this procedure:

Configure a Security Association rule in the Windows Firewall with Advanced Security MMC

1.　　　 On Computer "A", click Start, click Administrative Tools, and then click Windows Firewall with Advanced Security.

2.　　　 Select and then right-click Connection Security Rules, and then click New Rule.

3.  　　 In the New Connection Security Rule Wizard, select Server-to-server, and then click Next.

4.　　　 In the Endpoints dialog box, select Any IP Address for both options, and then click Next.

5.　　　 In the Requirements dialog box, select Require authentication for inbound and outbo und connections, and then click Next.

6.　　　 In the Authentication Method dialog box, select PreShared key, type$ecrET in the text box, and then click Next.

7.　　　 On the Profile page, verify that the Domain, Private, and Publicoptions are selected, and then click Next.

8.　　　 In the Name box, type SecureServerAuthenticationRule, and then click Finish

Posted in: WindowsServer