ICMP IPSec Filter with certificates

From: Chris (cf_rich@hotmail.com)
Date: 09/20/02

• Next message: Vitalijus J. Karalius: "Re: Microsoft Security Bulletin MS02-052"
• Previous message: Shaolin Tiger: "Re: Generation of "security impersonation = false" files"
• Next in thread: David Cross [MS]: "Re: ICMP IPSec Filter with certificates"
• Reply: David Cross [MS]: "Re: ICMP IPSec Filter with certificates"
• Reply: Chris Gilbert: "Re: ICMP IPSec Filter with certificates"
• Reply: Chris: "Re: ICMP IPSec Filter with certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: cf_rich@hotmail.com (Chris)
Date: 19 Sep 2002 15:41:11 -0700

Hi,

I was trying to do a simple IPSec filter that forces the client to
have a certificate before the server responds to pings (Just as a
test). I followed Q253498 (Install s Certificate for Use with IP
Security). This explains how to add a CA to the server. I then
configured an IPSec filter for ICMP based on Q315055 (Use IPSec Policy
to Secure Terminal Communications in Windows 2000) and modifed it for
ICMP. Since I really can't find how to import the Certificate into
the client (other than automatically which requires a Domain which I
don't have), I exported the Key from the server in X.509 format and
then imported it into the client in Trusted CA's. I then tried
pinging from the client and it doesnt seem to negotiate with the
server. I then go into my filter action on the server and select
'Allow unsecured communications with non-IPSec-aware computer' and
then the ping works. I'm assuming that the server and client aren't
agreeing on a security scheme. On the client, I enabled the Client
(Respond Only) security policy as stated in Q315055. It just doesn't
seem to want to work if I require I 'require security'.

(The client in Windows 2000 and the server is Windows XP Pro)

All I want to do is use PKI to ensure the identity of the client doing
a simple ping. Sounds simple enough but I've searched everywhere and
can't find documentation.

Any help would be appreciated.

Chris

---

• Next message: Vitalijus J. Karalius: "Re: Microsoft Security Bulletin MS02-052"
• Previous message: Shaolin Tiger: "Re: Generation of "security impersonation = false" files"
• Next in thread: David Cross [MS]: "Re: ICMP IPSec Filter with certificates"
• Reply: David Cross [MS]: "Re: ICMP IPSec Filter with certificates"
• Reply: Chris Gilbert: "Re: ICMP IPSec Filter with certificates"
• Reply: Chris: "Re: ICMP IPSec Filter with certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ... (microsoft.public.dotnet.framework.aspnet.security) RE: cannot connect computer ... if I type in the url of the server i get through ok. ... client computer to SBS domain. ... | I am unable to ping the sbs server by ip or name. ... (microsoft.public.windows.server.sbs) Re: Cannot connect to Server ... Test 1 - the clients can ping one anotehr ... gpupdate/force - reboot both client and server - ping to server from client ... Suggestion 2 - ping to server works when running safe mode with networking ... (microsoft.public.windows.server.sbs) Re: LDP client authentication fails ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ... (microsoft.public.windows.server.active_directory) RE: Unable to ping client2 ... I understand that the server box can not ping one ... client workstation after upgraded to SBS 2003 SP1. ... Reboot the SBS Server. ... On the client workstation, run "ipconfig /release" and then run ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)