Configure IPsec for Windows 2008

Document created by RSA Information Design and Development Employee on Jul 9, 2019Last modified by RSA Information Design and Development Employee on Jan 31, 2020
Version 4Show Document
  • View in full screen mode

Overview

This topic describes how to configure IPsec for Windows 2008.

Procedure

Task 1. Create an IPsec Negotiation Policy

  1. On a designated computer (for example, computer A), click Start > All Programs > Administrative Tools > Local Security Policy.
  2. Right‐click IP Security Policies on Local Computer, and click Create IP Security Policy.
  3. In the IP Security Policy wizard:
    1. Click Next in the Welcome screen.
    2. Enter the name (for example, Secure3389) in the Name field, enter the description (for example, Policy to encrypt SMB) in the Description field, and click Next.
    3. Make sure that Activate the default response rule is not selected, and then click Next.
    4. Select Edit properties in the Completing the IP Security Policy wizard dialog box and click Finish.
    5. Click Add in the Secure3389 Properties dialog box.
  4. In the Create IP Security Rule wizard:
    1. Click Next in the Welcome screen.
    2. Select This rule does not specify a tunnel in the Tunnel EndPoint dialog box and click Next.
    3. Select All network connections and click Next in the Network Type dialog box.
    4. Click Add in the IP Filter List dialog box.
    5. Enter a name (for example, Secure3389TCP) and click Add in the IP Filter List dialog box.
  5. In the IP Filter wizard:
    1. Click Next in the Welcome screen.
    2. Type 3389 IPsec Filter in the Description text box, select Mirrored. Match Packets with exact source and destination addresses, and click Next.
    3. Select A Specific IP Address or Subnet, type in the IP Address or Subnet of the enVision-IPDB-appliance in the IP Address or Subnet field, click Next in the IP Traffic Source dialog box.
    4. Select A Specific IP Address or Subnet, type in the IP Address or Subnet of the broker-appliancein the IP Address or Subnet field, and click Next in the IP Traffic Destination dialog box.
    5. Click ANY in the drop‐down list, and click Next in the IP Protocol Type dialog box. The IP Filter Wizard displays an Edit Properties check box that is not selected. Leave this checkbox unselected.
    6. Click Finish and click OK in the Completing the IP Filter Wizard screen.
  6. Select Secure3389TCP, and click Next in the IP Filter list.
  7. Click Add in the Filter Action dialog box.
  8. Click Next in the Filter Action Wizard.
  9. Enter a name (for example, Secure3389Filter) and click Next in the Filter Action Name dialog box.
  10. Select Negotiate Security and click Next in the Filter Action General Options dialog box.
  11. Select Do not allow unsecured communication, and click Next in the Communicating with computers that do not support IPsec dialog box.
  12. Select Integrity and encryption, and click Next in the IP Traffic Security dialog box.
  13. Make sure that Edit Properties is selected, and click Finish in the Completing the IP Security Filter Action Wizard screen.
  14. Select Accept unsecured communication, but always respond using IPsec, select Use Session Key Perfect Forward Secrecy and click OK in the Filter Action General Options dialog box.
  15. Select Secure3389Filter, and then click Next in the Filter Action dialog box.
  16. Select Use this string to protect the key exchange (preshared key), type presharedkey and click Next in the Authentication Method dialog box.
  17. Click Finish in the Completing the Security Rule Wizard.
  18. Click OK in the Secure3389 Properties dialog box.

Task 2. Assign the Policy

  1. Go to Start > All Programs > Administrative Tools > Group Policy Management, right-click the Default Domain Policy, and click Edit.
  2. In the left pane, go to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security – LDAP > Connection Security Rules.
  3. Right-click Connection Security Rules and click New Rule.The page for the New Connection Security Rule Wizard displays.
  4. In the New Connection Security Rule Wizard:
    1. Select the Tunnel option and click Next in the Rule Type screen.
    1. Select Custom Configuration, select No. send all network traffic that matches this connection security rule through the tunnel, and click Next in the Tunnel Type screen.
    2. Select Require Authentication for inbound and outbound connections and click on Next in the Requirements screen.
    3. Click Add and enter the broker-appliance-IP-address in the This IP Address or Subnet field on the Tunnel Endpoints screen.
    4. Click Edit under What is the local tunnel endpoint

      The Customize IPsec Tunneling Settings, Dialog displays.

    5. Select Specific address, enter the gateway-IP-address, and click on OK.
    6. Select Apply IPsec Tunnel Authorization checkbox.
    7. Under What is the remote tunnel EndPoint (EndPoint2) click on Edit and enter the enVision-IPDB-appliance-IP-address click OK, and click Next.
    8. Select the Advanced checkbox and click Customize in the Authentication Method dialog.
    9. Click Add under First Authentication in the Customize Advanced Authentication Methods screen.
    10. Select Preshared Keys, enter the preshared-key and click OK in the Add First Authentication Method dialog.
    11. Click OK and click Next.
    12. Select all the three options: Domain, Private and Public in the Profile dialog and click Next.
    13. Enter a name for the rule in the Name field of the New Connection Security Rule Wizard and click Finish.

Task 3. Configure Quick Mode Settings

  1. Open the Group Policy Management Editor in the left pane of the console and click Computer Configuration > Policies > Windows Settings> Security Settings > Windows Firewall with Advanced Security.
  2. Right‐click Windows Firewall with Advanced Security -LDAP and select Properties.
  3. Select the IPsec Settings tab and click Customize under IPSec defaults.
  4. In the Data protection (Quick Mode) section of the Customize IPsec Settings dialog, select Advanced and click Customize.

    The Customize Data Protection Settings displays.

  5. Make sure that the Require encryption for all connection security rules checkbox is not selected.
    1. To remove the data integrity algorithms that you do not want, from the left column, select the algorithm and click Remove.
    2. To add the data integrity algorithms that you need, click Add, select the appropriate protocol (ESP or AH) and algorithm

      (SHA1 or MD5), select the key lifetime in minutes or sessions, and click OK.

      RSA recommends that you do not include MD5 in any combination. It is included for backward compatibility only. RSA also recommends that you use ESP instead of AH if you have any devices on your network that use network address translation (NAT).

    1. Leave the default value of the maximum number of times that you can reenter the quick mode session in Key lifetime (in sessions).

      After this number is reached, you must renegotiate the quick mode RSA NetWitness Platform. Make sure that you balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent renegotiating of the quick mode RSA NetWitness Platform. RSA recommends that you use the default value unless your risk analysis indicates the need for a different value.

    1. Click OK to save your algorithm combination settings.
    2. When the list contains only the combinations you want, use the up and down arrows to the right of the list to rearrange them in the correct order for your design. The algorithm combination that is first in the list is tried first, and so on.
  6. Under Data Integrity and Encryption, select the algorithms that you want to use to help protect the data sessions between the two computers. If the algorithm combinations displayed in the list are not what you want, then do the following:
    1. To remove any of the data integrity and encryption algorithms that you do not want, select the algorithm combination from the second column and click Remove.
    2. To add required integrity and encryption algorithm combinations, click Add.
    3. Select the appropriate protocol (ESP or AH).

      RSA recommends that you use ESP instead of AH if you have any event sources on your network that use NAT.

    4. Select the appropriate encryption algorithm.

      The choices include, in order of decreasing security: AES-256, AES-192, AES-128, 3DES, and DES. RSA recommends that you do not include DES in any combination. It is included for backward compatibility only.

    5. Select the appropriate integrity algorithm (SHA1 or MD5). RSA recommends that you do not include MD5 in any combination. It is included for backward compatibility only.
    6. Leave the default value for the number of minutes in Key lifetime (in minutes).

      When the specified number of minutes has elapsed, any IPsec operations between the two computers that negotiated this key will require a new key. make sure that you balance performance with security requirements. Although a shorter key lifetime results in better security, it also reduces performance because of the more frequent re‐keying. RSA recommends that you use the default value unless your risk analysis indicates the need for a different value.

  7. Click OK and click OK again to save your settings.
  8. Select Advanced and click Customize under Authentication method.
  9. Click Add under First authentication methods in the Customize Advanced Authentication Method screen.
  10. Select Preshared key, enter the preshared-key and click OK in the Add First Authentication Method screen.
  11. Click OK, click OK, and click OK to save your settings.

Task 4. Refresh Group Policy on Local Computer

  1. Click Start > Run, type cmd, and press ENTER.

    The Command Prompt screen is displayed.

  2. Type gpupdate, and press ENTER.

    After this command executes successfully, the following messages display:

    User Policy update has completed successfully.

    Computer Policy update has completed successfully.

Task 5. Activate Group Policy on Local Computer

  1. Click Start > All Programs > Administrative Tools > Local Security Policy.
  2. Go to IP Security Policies on Local Computer node, right‐click Secure3389 Policy, and select Assign in the right pane.
  3. Restart IPsec on both the broker-appliance and the enVision-IPDB-appliance.
You are here
Table of Contents > Configure IPsec for Windows 2008

Attachments

    Outcomes