ydns' blog
information security, the outdoors and me RSS 2.0
# Monday, January 02, 2006
IPSec is hot

Whats hot...IPSec is hot.  I've been playing around over the past few days on scripts that setup IPSec rules to protect a Windows 2000 or XP system.  Now IPSec has two modes - AH and ESP.  AH provides authentication of packets while ESP provides encryption of packets.  You can use both at once but its a little different then the perfect security option you would think.

IPSec has performance concerns.  It causes an increase in bandwidth and CPU usage.  Not so big on a home network, but in a corporate environment it can be noticeable.

  I've extended this IPSec learning to enable IPSec security (AH+ESP) on my home network for all traffic.  I haven't noticed any performance issues.  I tend to do very little between my computers.

How to use IPSec on Windows XP SP2

  1. Download the Windows XP SP Support Tools. (must be the SP2 version)
  2. Install the Support Tools.  I choose the "complete" install option, but it may not matter.
  3. Review how the ipseccmd.exe command works.  Note - I think the help offered by "/?" is inaccurate as the 1f option works, yet doesn't display at the command line.
  4. Either build your own script or choose one of mine.  Only one can work at a time.
    1. Notes: 
      • You must run the same script on all XP computers you want to use that IPSec between.
      • All my scripts allow ICMP unhindered to facilitate troubleshooting.
      • Make sure you edit my script to customize the shared secret used from "PresharedKeyString" to something else.
      • Dynamic scripts will only work until the next reboot or IPSec service restart.  This allows you to make temporary changes to IPSec. Safer for testing out IPSec
      • Static scripts will stay running at all times.  The only way to disable it is to open the IPSec console (via MMC) and disable the policy.  True secure modes of IPSec.
    2. Optional IPSec scripts (don't force IPSec usage, just try to use it)
      1. Dynamic or static encryption. Related IPSec policy file for static.
      2. Dynamic or static authenticationRelated IPSec policy file for static.
    3. Required IPSec scripts (force IPSec usage, drop non-IPSec connections)
      1. Dynamic or static encryptionRelated IPSec policy file for static.
      2. Dynamic or static authenticationRelated IPSec policy file for static.
Monday, January 02, 2006 1:07:28 PM (Eastern Standard Time, UTC-05:00)  #    Comments [0] -
tech
Tracked by:
"More on IPSec (Group Policy and more)" (ydns' blog) [Trackback]
Navigation
Home
My Resume
Bink
CERT
Microsoft Technet
SANS
Security Focus
dasBlog
SourceForge
Categories
 
 
 
 
 
 
Archive
<January 2006>
SunMonTueWedThuFriSat
25262728293031
1234567
891011121314
15161718192021
22232425262728
2930311234
Blogroll
About the author/Disclaimer

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright 2009
ydns
Sign In
Statistics
Total Posts: 68
This Year: 1
This Month: 0
This Week: 0
Comments: 3
Themes
Pick a theme:
All Content © 2009, ydns
DasBlog theme 'Business' created by Christoph De Baene (delarou)