L2TP/IPSec and end-to-end security
From: SanjayG (agsanjay@email.com)
Date: 07/29/02
- Next message: Lois: "HP Printer security"
- Previous message: Scott: "can't access files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: agsanjay@email.com (SanjayG) Date: 29 Jul 2002 10:28:04 -0700
Hello,
As a curiosity exercise, I am trying to get a secure end-to-end
IPSec connection from my VPN client (C1) to a remote client (C2).
Though I thought this to be a simple 2-step (indicated below) process,
I am having problems :(. Would appreciate any pointers that indicate
what I could be missing
Step1:
My VPN client (XP-Pro) connects to my RAS server (a .Net server)
using L2TP with IPSec.
C1<----------------->RAS-Server<------------>C2
<-(L2TP/IPSec)->
Step2:
I create a end-to-end (transport) IPSec policy from C1 to C2
C1<----------------->RAS-Server<------------>C2
<-(L2TP/IPSec)->
<--------------(Transport IPSec)------->
Step1 works fine, I see L2TP pkts (both directions) between the C1
and the RAS-Server encrypted (ESP-3DES) and the session itself
authenticated. However I have had no success with Step2. After I
activate the transport policy, if I ping from C2 to C1, I see the
"Negotiating IP Security" message only. I traced (with a sniffer) the
IKE session request pkt to actually arrive at C1, which however seems
to ignore it. I am sure the policy setup is fine. I am not sure why
the response from C1 for the IKE is missing. On the flip-side if I
ping from C1 to C2, the transport policy is totally ignorned and no
IKE session is initiated at all before the ping requests!!
Based on IPSec spec such a combination of SAs is possible. Does MS's
IPSec implementation support it? Any pointers??
-Sanjay
- Next message: Lois: "HP Printer security"
- Previous message: Scott: "can't access files"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
