Re: Problem with IPSEC
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 17 Jul 2006 21:51:15 -0500
Are you sure that when a user enters nytimes in their address bar that it is
resolving to an IP address in the allow list? What you could do on a client
computer is run ipconfig /displaydns to see if the IP address shown for
nytimes is in the allow list or try using TDImon from Sysinternals to view
the IP traffic in real time looking for port 80 outbound traffic. Another
thing I would try is to create a hosts file on a client computer with the IP
address or addresses for nytimes to see if that works or not which would
insure only the IPs in the hosts file are used. To answer an earlier
question, yes ipsec filters are weighted such that a specific rule overrides
a general rule. Unfortunately I don't believe you can enable logging for
ipsec in XP like you can for Windows 2003 to see events for dropped traffic.
I tend to think the problem is that an IP address not on the allow list is
being used sometimes.
Steve
"Greg O" <gregorme@xxxxxxxxx> wrote in message
news:1153188726.753104.275010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi Steve,
The IP addresses IPSEC sets up are correct. I can check that by
using those addresses directly in the address bar of the browser, e.g.
instead of www.nytimes.com I put the IP address IPSEC added to the
allow filter and the page opens. So the IP addresses IPSEC find (it
does a DNS search for them) are sufficient to open the web pages. Also
it is necessary to allow DNS servers in IPSEC so you can put
"www.nytimes.com" in the address bar and the DNS server will return the
IP address for it. This part works, the DNS server of my ISP returns an
IP address in the IPSEC allow list, but still it doesn't allow the
packets through for the IP address itself.
The feature in IPSEC is very useful if it works because people can
give a list of web sites they want to visit, and no other web sites are
allowed. So this list of web sites might be added to group policy and
this is quite secure if those sites are safe. The allow function works
well for internal use. For example I can use a filter to block all TCP
and UDP traffic, and then allow all TCP traffic from a first subnet to
a second subnet (both internal). This works, and the traffic in the
internal subnets is allowed, and outside those subnets is completely
blocked. But if I do the same thing, allow all traffic from a first
internal subnet to an external IP address (even allowing all ports from
that address) IPSEC doesn't allow it. I'm only using RRAS for a
firewall and if I turn off the IPSEC blocking of all TCP the internet
all works.
Steven L Umbach wrote:
No it is not a bug in ipsec. Many websites, especially the larger volume
websites use multiple websites links/IP addresses. What you want to do
may
work if you are trying to allow a simple website that uses a singe or a
couple IP address. You can see what I mean if you use something like
Ethereal while connecting connect to a website. Also when you enter a
DNS
name it will resolve to the IP addresses it currently finds to create the
filter. However I have seen many large websites then seem to use dozens
of
IP addresses for their main website that seem to change frequently time
you
access them. You can sometimes see this when use nslookup to resolve a
domain name and try it a couple of times. A better solution would be to
use
something like ISA 2004 to restrict access though that is not a trivial
investment in software/licenses and configuration time. Otherwise try
using
a packet sniffer like Ethereal to see if you can track down all necessary
IPs needed to allow the website to work though again that will not work
if
the website starts resolving to different IPs not included in the filter
list. TDImon fee from SysInternals can also give you an idea of IPs and
ports/protocols the operating system accesses when connecting to a
website
and it does not need to be installed as an application.
Steve
"Greg O" <gregorme@xxxxxxxxx> wrote in message
news:1153148032.486898.123020@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
I use IPSEC to control internet access on a domain. I block port 80 for
browsers and ports 8080 and 3128 for most internet proxies. I also
block all UDP since most internet games will run on UDP even with all
TCP blocked. I want to allow individual web sites into the domain
though. In IPSEC there is a setting for a particular domain, if you try
it with say nytimes.com it looks up DNS and makes filters with each of
the IP addresses listed there. IPSEC I think is supposed to work so
that more specific filters (like allowing a web site) override more
general filters (like blocking port 80. So allowing the IP addresses of
nytimes.com should make it work, but it is still filtered by IPSEC. I
know that's the problem because if I list the port 80 block the
nytimes.com site starts working. Is this a big in IPSEC? Also is there
another way to do this without IPSEC, I see that network adaptor
filters and RRAS filters don't seem to have the settings for this.
.
- References:
- Problem with IPSEC
- From: Greg O
- Re: Problem with IPSEC
- From: Steven L Umbach
- Re: Problem with IPSEC
- From: Greg O
- Problem with IPSEC
- Prev by Date: Re: Problem with IPSEC
- Previous by thread: Re: Problem with IPSEC
- Next by thread: IPsec connection can no be established from BOTH endpoints
- Index(es):
Relevant Pages
|
|
