Re: IPSEC BUG - Cannot filter - Subnet Mask invalid

From: Q (Q@nospam.net)
Date: 12/07/02 

From: "Q" <Q@nospam.net>
Date: Fri, 6 Dec 2002 19:03:40 -0500

"Steven E. Adams" <stevea1@home2offic.com> wrote in message
news:06f801c29d69$b551f790$8af82ecf@TK2MSFTNGXA03...
> I have looked at this article before posting...
> Traffic That Can--and Cannot--Be Secured by IPSec (253169)
>
>
> Using IPSEC, I can not enter these addresses in the "IP
> Filter List" to Filter ASIAN Networks:
>
> 200.0.0.0 / 255.0.0.0
> 203.0.0.0 / 255.0.0.0
> 211.0.0.0 / 255.0.0.0
> 212.0.0.0 / 255.0.0.0
> 213.0.0.0 / 255.0.0.0
> 218.0.0.0 / 255.0.0.0
> 219.0.0.0 / 255.0.0.0
>
> (I am sure there are more)
> I get an error "This is an invalid MASK for the specified
> IP Address"
>
> HOWEVER, When I enter in these IP Addresses, I DO NOT get
> an error:
>
> 61.0.0.0 / 255.0.0.0
> 80.0.0.0 / 255.0.0.0
>
>
> Is this a bug in the IPSEC Policy?
> Is there a patch?
> Am I doing something Wrong?
>
> UNIX & LINUX Firewall rules do this no problem, IPCHAINS,
> ETC... It would be great if Microsoft would get the IPSEC
> to work they way I would like to use it.
>
> Steven E. Adams

Strangely enough, the filters refused by the IPSEC as Invalid Mask are
accepted in the RRAS packet filter module (which is a bit higher in the
TCP/IP stack). You might want to report this as a bug to Microsoft.

As for the IPCHAINS for Windows I'd recommend you have a look at chx:
http://www.idrci.net/packetfilter/html/index.html

Cheers,

Q.

Relevant Pages

  • Re: Mising IPSEC
    ... IPSec will do for you. ... also be used to filter traffic such as for an IIS machine where it is used ... Microsoft MVP - Directory Services ... Instead of the website you're using, try using OEx (Outlook Express ...
    (microsoft.public.windows.server.networking)
  • Re: Problem with IPSEC
    ... It is not unusual not to be able to access a website by entering the IP ... troubleshooting ipsec rules. ... protocol:TCP, and filter action permit. ... I have tried other web sites too and couldn't connect with the IPSEC ...
    (microsoft.public.windows.server.security)
  • Re: Problem with IPSEC
    ... Group Policy of course makes it easy to deploy ipsec to domain ... Consequently it cannot filter the external traffic. ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ...
    (microsoft.public.windows.server.security)
  • Re: Problem with IPSEC
    ... I have not used that many filter lists for subnets in an ipsec rule to see ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ...
    (microsoft.public.windows.server.security)
  • Re: IPSEC on Win2k3 - block all default/except for a few ports
    ... to start with a block all filter rule, ... Microsoft needs to spend more ... the URL for securityfocus you gave is 404. ... I read part 1, 2, and 3 of the IPSEC intro. ...
    (microsoft.public.security)