Re: IPSEC Between two PCs in Win2K

anonymous_at_discussions.microsoft.com
Date: 11/28/03 

Date: Fri, 28 Nov 2003 13:40:00 -0800

Yes, I have done exactly the same configuration steps on
both PCs as suggested by article.

I tried what you suggested, strange thing though:

netdiag /test:ipsec /debug

shows me that two SAs do exist on each of two of my PCs
(the number of NICs on my PC, one IP addr per NIC). At the
same time, IPSec Monitor does not show me even single SA
(I have set the refresh time to 1 sec). I would expect
these two tools to show two IPSEC SAs on each PC.

If I hook the netwrk sniffer, I can see the ISAKMP
exchange happenning, but not any furher IPSEC packets. I
tried both "ping" and just connect to "share" on the 2nd
PC. No success. I guess, it's some sort of configuration
problem, but WHAT is it ? Anything else you can think of ?

Thanks,

Eugene.

>-----Original Message-----
>I assume you did that on both computers. I have found
ping a somewhat
>unreliable method at times of proving ipsec connectivity
as it seems that
>ping may time out before SA is established. I would
double check that ipsec
>policy is indeed assigned to each computer. You could try
somehing like
>accessing a share and transfering a file and then using
ipsecmon to see if
>ipsec encryption is being used. Netdiag is helpful in
determining what ipsec
>policy if any is assigned to a computer. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;Q321708
>http://www.brienposey.com/kb/monitoring_secured_communicat
ions_through_ipsecmon.asp
>
><anonymous@discussions.microsoft.com> wrote in message
>news:001c01c3b55e$72bdf1f0$a001280a@phx.gbl...
>>
>> >Make sure that you are using
>> >the same pre shared keys for authentication and
>> >that your policy allows ICMP.
>>
>> I just followed the steps in the article: one of the
steps
>> required me to enter the "123456789" as a pre-shared key
>> on both PCs. Another step required me to choose "All IP
>> Traffic" as an IP Filter. That's what I've done for both
>> of these steps. As I said, I have repeated all steps in
>> article several times with the same negative result.
>>
>> Thanks for your reply.
>>
>> Eugene.
>>
>> >-----Original Message-----
>> >Make sure that you are using the same pre shared keys
for
>> authentication and
>> >that your policy allows ICMP. --- Steve
>> >
>> >http://support.microsoft.com/default.aspx?scid=kb;en-
>> us;257225
>> >
>> >"EugeneN" <anonymous@discussions.microsoft.com> wrote
in
>> message
>> >news:029501c3b522$69f5fc70$a101280a@phx.gbl...
>> >> Hi,
>> >>
>> >> For IPSEC testing purposes I am trying to setup an
IPSEC
>> >> chanel between two PCs with Win2K Prof
(workstations). I
>> >> am strictly following the porocedure outlined in the
MS
>> >> Article "Step-by-Step Guide to Internet Protocol
>> Security
>> >> (IPSec)"
>> >>
>>
(www.microsoft.com/windows2000/techinfo/planning/security/i
>> >> psecsteps.asp).
>> >>
>> >> All steps are giving me the expected results on both
>> >> computer except the one when I am trying to "ping"
the
>> >> another computer's IP Address. First time I ping, I
am
>> >> getting the expected results of "Negotiating IP
>> Security."
>> >> message. But then regardless of the number of time I
>> ping,
>> >> I am still getting the same "Negotiating IP
Security."
>> >> messages, and no ping echo reply.
>> >>
>> >> I repeated the procedure multiple times from scratch
>> with
>> >> the same outcome. I verified that IPSEC Policy Agent
is
>> >> running on both PCs. I hooked up the network sniffer
and
>> >> made sure that ISAKMP messages are being exchanged
>> between
>> >> two PCs. But still no further IPSEC packets can be
seen.
>> >>
>> >> Is there anybody who would do that successfuly ? Are
>> there
>> >> any "gotchas" I should be aware of when setting the
>> IPSEC
>> >> between two PCs ?
>> >>
>> >> Thanks,
>> >>
>> >> Eugene.
>> >>
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • IPSEC Between two PCs in Win2K
    ... For IPSEC testing purposes I am trying to setup an IPSEC ... chanel between two PCs with Win2K Prof. ... Article "Step-by-Step Guide to Internet Protocol Security ... First time I ping, I am ...
    (microsoft.public.win2000.security)
  • Re: Win 2003 Server only talking with local Subnet
    ... There are no IPSec filters or policies running. ... with one IP Address and it can ping the firewall without issue. ... IPv4 Route Table ...
    (microsoft.public.windows.server.networking)
  • Re: Trouble with ISA2004 site-to-site to Cisco Pix 501
    ... "relevant" traffic is generated towards its IPSEC peer. ... > Pix 501 and we can establish the IPSEC site to site but they have to ... > they initiate a ping to one of our machines we ... > can then and only then ping them from that machine. ...
    (microsoft.public.isaserver)
  • Re: IPSec policy
    ... I changed the protocol from TCP to Any and the ping test ... plus I saw activity in IPSec Monitor. ... >> domain server. ...
    (microsoft.public.win2000.security)
  • Re: IPSEC Between two PCs in Win2K
    ... > For IPSEC testing purposes I am trying to setup an IPSEC ... But then regardless of the number of time I ping, ... I verified that IPSEC Policy Agent is ... > running on both PCs. ...
    (microsoft.public.win2000.security)