Re: IPSec without encryption between intranet and standalone
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Fri, 6 Oct 2006 07:48:45 -0700
As I read your posting, and an earlier one, you have no shared
realm and so no chance for there to be any form Kerberos authN
to ever work. Also, all that you are attempting to do is to filter
what IPs can connect at which ports - you are not trying to provide
an packet protection except allowed endpoints (IPs/prot/ports).
However you are using rules as if you are trying to form IPsec
security associations (Kerberos and talk of shared key).
If all you want to do is endpoint filtering just make all of your
filters shared key and enter something and forget it. You are
not using security associations, only the filtering.
Things slow down because for each connection effort there
is a magnification in time due to the attempts to do a Kerberos
authN, the communications exchange to find a common provider,
etc.. Again, you only need to have a working authN such as
Kerberos, or shared key, if you are intending to use packet
protection levels. Just define your rules with a garbage shared
string (that you do not have to in any way share) and uncheck
any default rules, plus for actions just use permit or block.
There is an IPsec newsgroup, which you will find mentioned
along with much other IPsec docs/guidance at
http://microsoft.com/ipsec
<rolf@xxxxxxxxxxxx> wrote in message
news:1160124228.851261.172030@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi all,
Im trying to use IPSec to lock down a server denying all TCP traffic
and then opening traffic on certain ports for certain IP addresses.
The ruleset works fine, the server still has public http acces, I can
get terminal services up etc. However the intranet accesses the msSQL
server on the remote host via a connection string and there is a pause
everytime a new connection is made or a session expires as the intranet
attempts to authenticate via kerberos. This is not possible as they are
not on the same domain.
Couple of questions;
1 - why is this problem not apparent when using teminal services etc,
but very apparent on the intranet msSQL access, when all the rules have
the default kerberos authentication.
2 - can I dtop authentication completely..? If I used a sharedkey how
would that let HTML traffic through..?
3 - if I use a shared key how to get that key used from the intranet to
the remote machine..? Do I set up IPSec at the other end as well..?
Thanks for any help but of an IPSec newbie.
.
- Follow-Ups:
- References:
- Prev by Date: IPSec without encryption between intranet and standalone
- Next by Date: UPDATE: Granting access to HKLM/Software/<application>
- Previous by thread: IPSec without encryption between intranet and standalone
- Next by thread: Re: IPSec without encryption between intranet and standalone
- Index(es):
Relevant Pages
|
|
