Re: IPSEC Between two PCs in Win2K
From: Steven L Umbach (n9rouz_at_nscomcast.net)
Date: 11/29/03
- Next message: Steven L Umbach: "Re: Wireless Connectivity between W2K desktop and XP laptop"
- Previous message: Peter: "Re: Administrator denied access to local security policy"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: IPSEC Between two PCs in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 29 Nov 2003 00:44:41 GMT
Hmm. Make sure there are no personal firewalls or other packet filtering between the
two computers that may interfere. I would try to use the built in server (request
security) policy to see if you can get that to work between the two computers instead
of a custom rule at first. You could modify that built in rule by unchecking the all
ICMP rule and then for the all IP and <dynamic> rule, just change the authentication
to a preshared key and delete kerberos. After that assign that rule on both
computers and since each computer is requesting ipsec negotiation, it should encrypt
traffic. You can always restore the three built in rules to default so you do not
have to worry about messing them up during the testing process. --- Steve
<anonymous@discussions.microsoft.com> wrote in message
news:028c01c3b5f8$2c93b3a0$a401280a@phx.gbl...
> Yes, I have done exactly the same configuration steps on
> both PCs as suggested by article.
>
> I tried what you suggested, strange thing though:
>
> netdiag /test:ipsec /debug
>
> shows me that two SAs do exist on each of two of my PCs
> (the number of NICs on my PC, one IP addr per NIC). At the
> same time, IPSec Monitor does not show me even single SA
> (I have set the refresh time to 1 sec). I would expect
> these two tools to show two IPSEC SAs on each PC.
>
> If I hook the netwrk sniffer, I can see the ISAKMP
> exchange happenning, but not any furher IPSEC packets. I
> tried both "ping" and just connect to "share" on the 2nd
> PC. No success. I guess, it's some sort of configuration
> problem, but WHAT is it ? Anything else you can think of ?
>
> Thanks,
>
> Eugene.
>
> >-----Original Message-----
> >I assume you did that on both computers. I have found
> ping a somewhat
> >unreliable method at times of proving ipsec connectivity
> as it seems that
> >ping may time out before SA is established. I would
> double check that ipsec
> >policy is indeed assigned to each computer. You could try
> somehing like
> >accessing a share and transfering a file and then using
> ipsecmon to see if
> >ipsec encryption is being used. Netdiag is helpful in
> determining what ipsec
> >policy if any is assigned to a computer. --- Steve
> >
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q321708
> >http://www.brienposey.com/kb/monitoring_secured_communicat
> ions_through_ipsecmon.asp
> >
> ><anonymous@discussions.microsoft.com> wrote in message
> >news:001c01c3b55e$72bdf1f0$a001280a@phx.gbl...
> >>
> >> >Make sure that you are using
> >> >the same pre shared keys for authentication and
> >> >that your policy allows ICMP.
> >>
> >> I just followed the steps in the article: one of the
> steps
> >> required me to enter the "123456789" as a pre-shared key
> >> on both PCs. Another step required me to choose "All IP
> >> Traffic" as an IP Filter. That's what I've done for both
> >> of these steps. As I said, I have repeated all steps in
> >> article several times with the same negative result.
> >>
> >> Thanks for your reply.
> >>
> >> Eugene.
> >>
> >> >-----Original Message-----
> >> >Make sure that you are using the same pre shared keys
> for
> >> authentication and
> >> >that your policy allows ICMP. --- Steve
> >> >
> >> >http://support.microsoft.com/default.aspx?scid=kb;en-
> >> us;257225
> >> >
> >> >"EugeneN" <anonymous@discussions.microsoft.com> wrote
> in
> >> message
> >> >news:029501c3b522$69f5fc70$a101280a@phx.gbl...
> >> >> Hi,
> >> >>
> >> >> For IPSEC testing purposes I am trying to setup an
> IPSEC
> >> >> chanel between two PCs with Win2K Prof
> (workstations). I
> >> >> am strictly following the porocedure outlined in the
> MS
> >> >> Article "Step-by-Step Guide to Internet Protocol
> >> Security
> >> >> (IPSec)"
> >> >>
> >>
> (www.microsoft.com/windows2000/techinfo/planning/security/i
> >> >> psecsteps.asp).
> >> >>
> >> >> All steps are giving me the expected results on both
> >> >> computer except the one when I am trying to "ping"
> the
> >> >> another computer's IP Address. First time I ping, I
> am
> >> >> getting the expected results of "Negotiating IP
> >> Security."
> >> >> message. But then regardless of the number of time I
> >> ping,
> >> >> I am still getting the same "Negotiating IP
> Security."
> >> >> messages, and no ping echo reply.
> >> >>
> >> >> I repeated the procedure multiple times from scratch
> >> with
> >> >> the same outcome. I verified that IPSEC Policy Agent
> is
> >> >> running on both PCs. I hooked up the network sniffer
> and
> >> >> made sure that ISAKMP messages are being exchanged
> >> between
> >> >> two PCs. But still no further IPSEC packets can be
> seen.
> >> >>
> >> >> Is there anybody who would do that successfuly ? Are
> >> there
> >> >> any "gotchas" I should be aware of when setting the
> >> IPSEC
> >> >> between two PCs ?
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Eugene.
> >> >>
> >> >>
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >
- Next message: Steven L Umbach: "Re: Wireless Connectivity between W2K desktop and XP laptop"
- Previous message: Peter: "Re: Administrator denied access to local security policy"
- In reply to: anonymous_at_discussions.microsoft.com: "Re: IPSEC Between two PCs in Win2K"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
