RE: Microsoft IPSec via group policy

---

• From: "Jesse Rink" <jesse-rink@xxxxxxxxx>
• Date: Wed, 6 Feb 2008 08:03:36 -0600

---

Hello.
Sorry for the delayed response. For some reason when I post on this list,
my posts sometimes don't' show up for 16-30 hours. Not quite sure why.

What I'm attempting is to encrypt network traffic between my clients and my
domain controllers and clients and my member servers.

I have tried setting IPSec up in group policy however I'm running into some
strange issues. What I've done to set this up for testing is this...

1. In the Domain Controllers OU and GPO, I set the IP Sec policy for Server
(request security) - Assigned.

2. In the test PC OU and GPO, I set the IP Sec policy for Client (respond
only) - Assigned.

At this time, I think I should be good to go. I go to the XP client and do
a gpupdate /force and reboot the computer. Now, here's what's odd.
According to documentation I've read, I should be able to tell the IP Sec
policy applied to the client in the following ways:

1. I should be able to do an RSOP.msc from Start|Run on the XP client and
see the IP Sec policy. I try that, but nothing shows up.

2. I should be able to look at the Local Security Policy on the XP client
and it should show that IP Sec policy has been applied from a GPO. I try
that, but nothing shows up.

I am starting to wonder if the documentation I've read is WRONG about these
things. I have noticed this... If I look on the XP Client's registry, under
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPsec\GPTIPSECPolicy and under
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPsec\Policy\Cache, I "DO" find
that these keys are created/updated after doing the gpupdate /force and
rebooting, so it SEEMS like IPSec is getting applied? But again, RSOP.msc
and the Local Security Policy show NOTHING. Why is this?

Also, I am testing what happens if the IPSec policy on the client is
unapplied. This is very strange as well. If after having applied the IP
Sec policy via GPO to the XP Client, I remove it a short time later by going
into the GPO for the PC OU, and changing Client (respond only) to Unassign,
when I then go to the XP client and do a gpupdate /force and then reboot,
the XP client can no longer contact the domain controller. I can't even
ping it, nor can the domain controller ping the client. This doesn't make
sense. I am removing the IP Sec policy from the client "by the book" as far
as I can tell by unassigning it first, and then making sure the new GPO is
applied to the PC. Any idea on this particular issue?

I'm about ready to open up a case with Microsoft to figure this stuff out.
Thanks for any help.

JR



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Paul J. Brickett
Sent: Tuesday, February 05, 2008 11:02 AM
To: jesse-rink@xxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx;
security-basics-return-47647@xxxxxxxxxxxxxxxxx
Subject: Re: Microsoft IPSec via group policy

What exactly are you trying to do? Providing detail to the group may
elicit more responses.

I've deployed several IPSec GPOs- I generally have used IPSec GPOs to more
granularly block/allow access to specific ports/protocols. I find that
it's a more precise tool then Windows Firewall. I often find myself
comparing it to IPTables.

-PJB

On Mon, 4 Feb 2008, jesse-rink@xxxxxxxxx wrote:

Just curious if anyone on the list has implemented IPsec for Windows
2003/XP via Group Policy? I am testing this out and finding some strange
results that I'd like to bounce off someone who's done this before.
Anyone?

JR

--------------------------------------------------------------------
mail2web.com - Enhanced email for the mobile individual based on

MicrosoftR

Exchange - http://link.mail2web.com/Personal/EnhancedEmail

---

• Follow-Ups:
  • RE: Microsoft IPSec via group policy
    • From: Ramsdell, Scott
  • Re: Microsoft IPSec via group policy
    • From: Rodrigo Immaginario

• References:
  • Re: Microsoft IPSec via group policy
    • From: Paul J. Brickett

• Prev by Date: Re: CISO/Security Team roles and functions
• Next by Date: Tomcat 5.5 Admin webpage
• Previous by thread: Re: Microsoft IPSec via group policy
• Next by thread: Re: Microsoft IPSec via group policy
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ... Microsoft IPSec via group policy ... (Security-Basics) re: Microsoft IPSec ... My original intention for enabling IPsec was the prevent users from ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ... (Security-Basics) RE: Microsoft IPSec via group policy ... IPsec could accomplish this. ... Microsoft IPSec via group policy ... Requiring ipsec between a client and a DC via GPO is problematic. ... (Security-Basics) Re: Microsoft IPSec via group policy ... I have tried setting IPSec up in group policy however I'm running into some ... I go to the XP client and do ... (Security-Basics) Re: Microsoft IPSec via group policy ... I have tried setting IPSec up in group policy however I'm running into some ... I go to the XP client and do ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)