How to create a new IPSec Policy


In today’s article we will continue discussing about IPSec features. In this lesson we will create a new IPSec Policy using the Group Policy Management console. Note that GPMC feature must be installed previously on Windows Server 2008 editions. After opening the console, create a new GPO, right click it and select Edit:
Group Policy Management Console
Navigate to Computer Configuration/Windows Settings/Security Settings/IP Security Policies on Active Directory, right click and select Create IP Security Policy:
Create IP Security Policy
Enter the IP Security Policy name and description:
IPSec policy
When creating an empty IPSec policy, the wizard gives you the option to activate the default response rule (earlier versions of Windows only):
IPSec policy
In the Default Response Rule Authentication Method panel select the first option and click Next. The authentication method used by our policy will be Kerberos V5. We have talked about authentication methods in the previous IPSec article:
 Default Response Rule Authentication Method
Once the rule has been created, it will appear in the IP Security Policies on Active Directory section. We can now edit its properties and configure it as desired:
IP Security Policies on Active Directory
Double click on the newly created policy to view it’s rules. Because we have chosen to activate the default response rule, the default IP security rule will be created automatically:
IPSec policy
We can add additional IP security rules by clicking the Add button. Read the welcome screen and press next. The tunnel endpoint page is used when you are using IPSec in tunnel mode. For our example select this rule does not specify a tunnel and press next:
Tunnel Endpoint
In the Network Type section you specify where is the security rule applied. There are three options available: all network connections, local area network (LAN) and remote access:
Security Rule Wizard
For our Security Rule we will use Local area network (LAN). In the IP Filter list page you create the filter lists that will guide the policy behavior. There are some in-build filter lists as follows:
IP Filter list
Press Add to create a new filter list. Type in the filter’s list name and description. For this example, I’ve created a filter list named TCP port 80. We will block the port 80 for the local area network. A filter list can contain one or more filters:
IP filter list
Note that under the Remove button there is a box named use add wizard which is checked by default. Uncheck it and press Add (this method will skip the wizard). I’ve chosen the 80 port because this is a TCP port and the flow can be tested using telnet. We can configure the IPSec policy to filter packets by source and destination address, by server purpose (DNS, DHCP, WINS, etc.) and protocol ( both TCP and UDP). I’m using multiple VMs within my testing environment and for this example I want to block the HTTP access for a certain computer (with 10.10.10.12 IP address) to my web server (10.10.10.11):
IP Filter Properties
If we leave the Mirrored box checked, another IPSec filter will be created that will match packets with the exact opposite source and destination IP addresses. In the Protocol section, I’ve selected the 80 TCP port:
IPSec filter
The last section is used to provide a short description for the configured IP filter. Once the wizard is completed, our filter will appear in the filter list. In the Next section we’ll have to configure the filter actions. In this section we configure what action will the IPSec Policy take when a match for this rule is found. There are three in-build actions:
Permit – the policy will allow all packets to pass unsecured
Request Security (optional) – “Accepts unsecured communication, but requests clients to establish trust and security methods.  Will communicate insecurely to untrusted clients if they do not respond to request.”
Require Security “Accepts unsecured communication, but always requires clients to establish trust and security methods.  Will NOT communicate with untrusted clients.”
We can add additional actions using the actions wizard (check use Add Wizard) or directly by pressing Add (uncheck use Add Wizard):
Security Rule Wizard
I will set the filter action to block the packets matched by this rule:
IPSec filter action
In the general tab of the New Filter Action Properties enter an identification name for the filter action. I’ve then assigned the IPSec Policy to my new GPO and linked the GPO to my servers OU:
GPMC
I’ve then issued the gpupdate /force command from each computer to apply the GPO to all network devices. If I try to telnet on HTTP port from any computer except the 10.10.10.12 host, the telnet will work.
This is how you create a new IPSec policy, IPSec filter lists, filters and filter actions. You’ll have to remember each element and its functionality within the IPSec operation. By creating several IPSec policies you can create an IPSec hierarchy in which different filters are applied to each network packet. That’s it for this article, in the following post we will continue discovering IPSec and we will see how to configure a connection security rule.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s