Re: IPSec filter bug?

From: Chris (anonymous_at_discussions.microsoft.com)
Date: 03/04/04 

Date: Thu, 4 Mar 2004 12:39:15 -0800

Thanks for your reply.

Okay, after playing around with this, I have noticed the
exact same behavior in the RRAS filters as well. I still
believe there is a bug here. Let me boil this down to an
even simpler example, with some more specifics:

Let's say I have a Win2K server with 2 NICs installed,
configured as follows:

  NIC A:
     IP Address 192.168.0.1
     Subnet Mask 255.255.255.0
    
  NIC B:
     IP Address 192.168.1.1
     Subnet Mask 255.255.255.0

  Hosts connected to NIC A
     IP Address 192.168.0.<2-254>
     Subnet Mask 255.255.255.0
     Gateway 192.168.0.1

  Hosts connected to NIC B
     IP Address 192.168.1.<2-254>
     Subnet Mask 255.255.255.0
     Gateway 192.168.1.1

  RRAS is running, with IP forwarding enabled.

Now, the goal is for hosts on both subnets to be able to
talk to the server, but not each other. (I realize that
having IP forwarding enabled is exactly what you would
NOT want to do to achieve this, but bear with me for the
purposes of this discussion.)

So, in it's default state, host 192.168.0.10 can ping
192.168.1.20 (because of IP forwarding). To prevent
this, I tried setting up an IP Filter in IPSec that
blocks all traffic between 192.168.0.0/24 and
192.168.1.0/24. This does NOT work -- the pings still go
through.

However, if I change the filter so that it is less
specific and blocks traffic between 192.168.0.0/24
and "everything", it works as expected. Or, if I make
the filter more specific and block traffic between
192.168.0.0/24 and 192.168.1.20, it works as expected.

I have verified the exact same behavior in the RRAS
packet filters as well -- setting an input or output
filter on one of the adapters to block traffic between
the subnets does NOT work, but making the filter more
general or more specific does work.

I know that this example is rather esoteric, but imagine
adding a 3rd NIC to the server, connected to the
Internet, and enabling NAT so the two subnets have web
access. In that case I do need IP forwarding enabled,
otherwise NAT won't work.

So, my question is still: is this behavior by design? I
would think that if IP forwarding were causing the stack
to shortcut from one subnet to the other, it would mean
that no filters would be able to block this traffic.
However, only the subnet-to-subnet filters fail, so I
would tend to think something else is going on.

If anyone has any ideas, or can suggest another way of
setting this up (using a single computer), I'm all
ears. :)

Thanks again in advance.

- Chris

Relevant Pages

  • Re: IPSec Filter Question
    ... IPSec filter. ... The first blocks any traffic from a subnet ... I cannot get to 172.16.8.152 no matter what I do from any client ... I just can't figure out why using the more specific filter (PERMIT to only ...
    (microsoft.public.windows.server.networking)
  • Re: IPSec filter bug?
    ... > I set up an IPSec filter that blocks all packets going from subnet A to ... When I apply this filter, ... IP forwarding was short-circuiting something and bypassing the IPSec ... is to allow the local subnets to access the internet, ...
    (microsoft.public.win2000.security)
  • IPSec Filter Question
    ... I'm working on a server with 2 nics and trying to implement a fairly simple IPSec filter. ... Nic1 faces the network ... The first blocks any traffic from a subnet ... if I change the second filter to PERMIT traffic from the subnet ...
    (microsoft.public.windows.server.networking)
  • Re: IPSec
    ... subnet that permits your subnet address and is mirrored. ... I want to permit all computers on ... > a policy that blocks all incoming pc's with one filter and permit my subnet ... > with another filter. ...
    (microsoft.public.win2000.security)
  • IPSec
    ... I want to permit all computers on ... my subnet, ... with another filter. ...
    (microsoft.public.win2000.security)