Dec 222005
Configuring IPsec on your XP Professional laptop
IPsec is a tool you can use to secure your network communications. I use IPsec to ensure my wireless connections are secured. IPsec offers security and peace of mind over and above the traditional WEP and MAC-address filtering. NOTE: although this article was written with wireless communication in mind, it applies equally well to traditional wired communication as well. I have already written about configuring my FreeBSD IPsec gateway and workstations. In this article I will show how I configured my Windows XP box to use the same gateway. The main resource I used for this exercise was FreeBSD Wi-Fi IPsec easy-setup guide (since removed from the Internet). You might ask why I’m writing about Windows XP on a website about FreeBSD? My terse answer is because I can. My realistic answer is because it will help people. It’s something I did, with my FreeBSD gateway. I use XP on a regular basis. Use the right tool for the job. Sometimes that’s XP. Sometimes it’s FreeBSD.A recap of the configuration
I will give a brief overview of the gateway configuration. I have a FreeBSD machine that functions as a dedicated wireless gateway. The primary purpose of this box is to keep out all the stuff that is not allowed and to ensure that only my machines are used on this WAP. This is the content of the gateways’s/etc/ipsec.conf
:
spdadd 10.0.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/10.0.0.10-10.0.0.1/require;
spdadd 0.0.0.0/0 10.0.0.0/24 any -P out ipsec esp/tunnel/10.0.0.1-10.0.0.10/require;
I am using racoon as my
key server. It does the job, but I’m hoping for other alternatives. Sometimes I have
to restart racoon on the gateway in order to get a session established. Here is the relevant
portion of /usr/local/etc/racoon/racoon.conf
. This works for my laptop
whether it’s running XP, FreeBSD 4.10, or FreeBSD 5.3.
remote anonymous {
exchange_mode aggressive,main,base;
lifetime time 24 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
lifetime time 12 hour ;
encryption_algorithm des, 3des, des_iv64, des_iv32, null_enc, rijndael, blowfish;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate ;
}
By the way, to install racoon from the ports tree, I did this:
cd /usr/ports/security/racoon
make install clean
Under more recent versions of FreeBSD, you must also add this to /etc/rc.conf
:
racoon_enable="YES"
This command can be used to start racoon manually:
/usr/local/etc/rc.d/racoon.sh start
Configuring the XP client
The Windows XP client should be similar to that found in Windows 2000, and hopefully Windows 2003. IPsec configuration is performed through theMicrosoft Management Console
(mmc). To start
mmc
, perform the following steps:
- click on Start
- click on Run
- type
mmc
- press ENTER

Adding the Security Policy Management Snap-in
Click onFile | Add/Remove Snap-in...
.

Add...
and scroll down to and click on
IP Security Policy Management
. You should see this:


IP security Monitor
snap-in and click add.
Then click on Close. You should now see this:

mmc
but with two new
entries under Console Root
.

IP Security Policies on Local Computer
you will see this:

Creating the IP Security Policy
We are now going to create the IP Security Policy we will use on this laptop. Start this process by right clicking onIP Security Policies on Local Computer
and
then selecting Create IP Security Policy
. This
will invoke the IP Security Policy Wizard.


Activate the default response rule
.

Edit Properties
. Then click Finish.

Create the Outbound filter
Start by right clicking onIP Security Policies on Local Computer
and select Manage IP filter lists and filter actions...
and
you should see this:

Add
and you will see this:

Add
and name your filter list (I called mine
OutboundIPsec
). This is what you should see:

IP Filter Wizard
:

My IP address
:

Any IP address
:

Any
:

Edit Properties
box:

Filter properties
window, be sure
to uncheck Mirrored
. This is important.

IP Filter List
window.
Your filter should be listed in the Filters
section.
Click OK.


Create the Inbound filter
You have just created the outbound filter. Now repeat the same steps again but for inbound traffic. The differences will be:- Use
Any IP Address
for theSource Address
- Use
My IP address
for theDestination Address
Edit Properties
and to uncheck
Mirrored
. After completion, you should see this:

IP Filter Lists
. Each list should contain one rule.
You should not have one Filter List, with two rules. Verify that the two filters
are not mirrored. Click on Close and you should be back at the MMC console.
Using the filters
So far we have:- created a security policy
- added an outbound filter list
- added an inbound filter list
Creating the Outbound Security Rule
Now we will start using the filter lists. Double click onMy WIFI Security Policy
and you should see this:


The tunnel endpoint is specified by this IP address
and supply the IP address of your gateway (for me, that’s 10.0.0.1).

Local Area Network (LAN)
. I’m
sure All network connections
would work as well.


OutboundIPSec
.

Require Security
. We do not want any
traffic to pass unless it is IPsec (note: DHCP etc will still
get through without IPsec).

Edit Properties
is off, and click Finish.


Creating the Inbound Security Rule
You should now repeat the same steps again, but for the Inbound traffic. The differences are:- The tunnel endpoint should be the IP address of this PC.
- Apply this rule to the InboundIPsec filter list

All done, save the results
Here is what your MMC console should look like now:
Policy Assigned
column contains No. That means
your policy is not in effect. We will change that soon.
Save your data using File | Save
. I named my file
wifi-console
.
Invoking the rules
So far, we have established a policy, created two filter lists, and added one rule to each filter list. Now we will invoke that policy to ensure that only IPsec traffic flows between the laptop and the wireless gateway.Unwanted DNS updates
If you start seeing this message in your logs on your DNS server, then I know the fix:
named[111]: denied update from [192.168.0.20].40061 for "example.org" IN
In this case, 192.168.0.20 is the internal IP address of my wireless gateway. That gateway
also has the 10.0.0.1 IP address used above as the end point of the tunnel.
example.org
is the domain name (not really, I changed it for this
article) given to the laptop.
To prevent these DNS updates, turn off connection registration. To do this perform the following
steps:
- Click on Start
- Click on Control Panel
- Click on Network and Internet Connections
- Click on Network Connections
- Right click on your [wireless] connection and select Properties
- Under “This Connection uses the following items” select “Internet Protocol (TCP/IP)”
- Click on Properties
- Click on Advanced
- Select the DNS tab
You should not be looking at something like this:
Uncheck
Register this connection's addresses in DNS
and you should
stop seeing those messages.