Re: Configuring Port range in IPsec

From: Steve Riley [MSFT] (steriley_at_microsoft.com)
Date: 01/09/05 

Date: Sat, 08 Jan 2005 23:01:40 -0800

Remember that IPsec is really about creating authenticated and (optionally)
encrypted security associations between a pair of computers. Given that primary
design goal, it appears that port ranges aren't something that's required.

I'm guessing that you'd like port ranges for simple block/allow rules --
using the IPsec engine as a packet filter. Is that right? Or do you have
a need for security associations with port ranges?

Steve Riley
steriley@microsoft.com

> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:#nzGTLb9EHA.2196@TK2MSFTNGP11.phx.gbl...
>
>> That is interesting. Do you know how many filters can fit into a rule
>> and how many rules can fit into a policy?? Some user a while back
>> said he had
>>
> so
>
>> many filters in a rule that it would not accept any more. I suggested
>> he
>>
> add
>
>> a new rule with the same filter action but never heard back from him
>> to
>>
> know
>
>> whether that worked or not. I personally never plan to add that may
>> to
>>
> find
>
>> out. --- Steve
>>
> I have reached no limits -- unless you are thinking of my complaint
> where at about 1000 rules it was eating up my CPU to invoke the thing
> -- once it was running it was fine.
>
> This may have been (quietly) fixed in some service pack/hotfix.
>
>> "Herb Martin" <news@LearnQuick.com> wrote in message
>> news:OiZekUW9EHA.1084@TK2MSFTNGP15.phx.gbl...
>>
>>> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
>>> news:uCITVjO9EHA.3416@TK2MSFTNGP09.phx.gbl...
>>>
>>>> You can not configure a port range in a single filter entry for an
>>>>
> ipsec
>
>>>> policy. You can either use an IP address or subnet when creating a
>>>>
> filter
>
>>>> entry for an ipsec rule. --- Steve
>>>>
>>> It's one of the serious weaknesses of the IPSec
>>> filter rules.
>>> I wrote a "generator" in Perl which builds the
>>> IPSec rules from a table (sort of) because at
>>> least one of my machines runs close to a 1000
>>> rules/filter sets.
>>> Even this is not a full solution because at a 1000 rules it can
>>> significantly impact the machines performance for up to an hour when
>>> the rules are re-applied.
>>>
>>> Better would be for the filters to accept such
>>> information and handle it efficiently.
>>> -- Herb Martin
>>>

Relevant Pages

  • Re: Configuring Port range in IPsec
    ... prefer that people use real host firewalls for block/allow; ... People have been requesting port ranges in the IPsec engine for a while, ... >> encrypted security associations between a pair of computers. ...
    (microsoft.public.win2000.security)
  • Re: Configuring Port range in IPsec
    ... larger filter lists. ... the servers using ipsec in the 192.168.1.40 - 192.168.1.60 range. ... > Given that primary design goal, it appears that port ranges aren't ...
    (microsoft.public.win2000.security)
  • Re: Configuring Port range in IPsec
    ... > encrypted security associations between a pair of computers. ... it appears that port ranges aren't something that's required. ... actual IPSec services. ...
    (microsoft.public.win2000.security)
  • Re: Problem with IPSEC
    ... It is not unusual not to be able to access a website by entering the IP ... troubleshooting ipsec rules. ... protocol:TCP, and filter action permit. ... I have tried other web sites too and couldn't connect with the IPSEC ...
    (microsoft.public.windows.server.security)
  • Re: Problem with IPSEC
    ... Group Policy of course makes it easy to deploy ipsec to domain ... Consequently it cannot filter the external traffic. ... rules like this work on an internal subnet. ... addresses or even a subnet on the internet it doesn't work. ...
    (microsoft.public.windows.server.security)