Re: ICMP IPSec Filter with certificates

From: David Cross [MS] (dcross@online.microsoft.com)
Date: 09/20/02 

From: "David Cross [MS]" <dcross@online.microsoft.com>
Date: Fri, 20 Sep 2002 06:53:03 -0700

All machines that communicate via IPSEC must have a certificate installed
with a private key. This is normally known as enrollment. Enrollment for
certificates is well documented in the help files. All machines must have a
cert that chains to a common root CA.

Here is a good starting point beyond the help files to undertstand PKI and
enrollment:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
prodtech/pkitech.asp 

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Chris" <cf_rich@hotmail.com> wrote in message
news:d97e530f.0209191441.52b990cb@posting.google.com...
> Hi,
>
> I was trying to do a simple IPSec filter that forces the client to
> have a certificate before the server responds to pings (Just as a
> test).  I followed Q253498 (Install s Certificate for Use with IP
> Security).  This explains how to add a CA to the server.  I then
> configured an IPSec filter for ICMP based on Q315055 (Use IPSec Policy
> to Secure Terminal Communications in Windows 2000) and modifed it for
> ICMP.  Since I really can't find how to import the Certificate into
> the client (other than automatically which requires a Domain which I
> don't have), I exported the Key from the server in X.509 format and
> then imported it into the client in Trusted CA's.  I then tried
> pinging from the client and it doesnt seem to negotiate with the
> server.  I then go into my filter action on the server and select
> 'Allow unsecured communications with non-IPSec-aware computer' and
> then the ping works.  I'm assuming that the server and client aren't
> agreeing on a security scheme.  On the client, I enabled the Client
> (Respond Only) security policy as stated in Q315055.  It just doesn't
> seem to want to work if I require I 'require security'.
>
> (The client in Windows 2000 and the server is Windows XP Pro)
>
> All I want to do is use PKI to ensure the identity of the client doing
> a simple ping.  Sounds simple enough but I've searched everywhere and
> can't find documentation.
>
> Any help would be appreciated.
>
> Chris

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
    (microsoft.public.dotnet.framework.aspnet.security)