Transcript IPSEC FAQ - SteelRabbit

IPSEC
FAQ
• http://www.microsoft.com/windowsserver2
003/techinfo/overview/ipsecfaq.mspx
What is IPsec?
• Internet Protocol security (IPsec) is a framework of open standards
for ensuring private, secure communications over Internet Protocol
(IP) networks, through the use of cryptographic security services.
The Internet Engineering Task Force (IETF) IPsec working group
defines the IPsec standards.
• IPsec is the long-term direction for secure networking. It provides
aggressive protection against private network and Internet attacks
through end-to-end security. The only computers that must know
about IPsec protection are the sender and receiver in the
communication. IPsec provides the ability to protect communication
between workgroups, local area network computers, domain clients
and servers, branch offices (which might be physically remote),
extranets, and roving clients.
• The Microsoft Windows 2000, Windows XP, and the Windows
Server 2003 family implementations of IPsec are IETF standardsbased.
Where can I find background
information on IPsec?
• For the IETF standards, see the IETF Internet
Protocol Security working group.
• For an overview of IPsec in Windows Server
2003, see the Internet Protocol Security for
Microsoft Windows Server 2003 white paper.
• For an overview of IPsec in Windows 2000, see
the Internet Protocol Security for Microsoft
Windows 2000 Server white paper.
Where is the Microsoft IPsec
documentation?
• IPsec documentation is included with Windows 2000
(click Start, then click Help), Windows XP (click Start,
then click Help and Support), and Windows Server
2003 (click Start, then click Help and Support). There
are also IPsec chapters of the Windows 2000 Server
Resource Kit, Windows Server 2003 Deployment Guide,
and the Windows Server 2003 Technical Reference.
• For a list of all the resources for IPsec in Windows
Server 2003, see the Windows Server 2003 IPsec Web
site.
• For a list of all the resources for IPsec in Windows 2000,
see the Windows 2000 IPsec Web site.
What standards define IPsec?
•
•
•
•
•
•
•
•
The following IETF standards define IPsec:
RFC 2401: Security Architecture for the Internet Protocol
RFC 2402: IP Authentication Header
RFC 2403: The Use of HMAC-MD5-96 within ESP and AH
RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH
RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV
RFC 2406: IP Encapsulating Security Payload (ESP)
RFC 2407: The Internet IP Security Domain of Interpretation for
ISAKMP
• RFC 2408: Internet Security Association and Key Management
Protocol (ISAKMP)
• RFC 2409: The Internet Key Exchange (IKE)
What are the differences between
IPsec and firewalls?
• Firewalls are designed to monitor incoming and outgoing traffic to
determine whether the traffic is allowed. The Windows
implementation of IPsec can also perform this function. However,
IPsec can also ensure that the incoming and outgoing traffic is
secure (protected with cryptography). For example, with the correct
IPsec policy settings, you can require that all communications
between domain controllers be secured.
• Another key difference between IPsec for Windows and firewalls is
the following:
• The default behavior of firewalls is to discard incoming or outgoing
traffic unless there is an exception to allow it.•The default behavior
of IPsec for Windows is to allow incoming or outgoing traffic, unless
there is an exception to discard or secure it.
What usage scenarios are currently
recommended?
• The following usage scenarios are currently
recommended:
• Server and Domain Isolation Using IPsec and
Group Policy
• Using Microsoft IPsec for Windows to Help
Secure an Internal Corporate Network Server
• Active Directory in Networks Segmented by
Firewalls
• Improving Security with Domain Isolation
Why would I use IPsec instead of
Secure Sockets Layer (SSL)?
• Because IPsec works at the IP layer of the Transmission Control
Protocol/Internet Protocol (TCP/IP) protocol stack, you do not have
to modify existing applications to use IPsec. All TCP/IP applications
can use IPsec, whereas only SSL-enabled TCP/IP applications can
use SSL. IPsec is an excellent solution to securing the traffic of
legacy applications.
• Other points of contrast between IPsec and SSL are the following:
– SSL was designed for client application-to-server application
authentication and encryption. IPsec can be used end-to-end or for
gateway-to-gateway scenarios.
– SSL only supports the use of digital certificates for authentication. The
Windows implementation of IPsec supports the use of Kerberos,
preshared key, and digital certificates for authentication.
What are the differences between using
IPsec and the Windows Firewall for blocking
or permitting traffic?
• With IPsec for Windows policy settings, you can block or permit
incoming and outgoing traffic based on:
• The source and destination addresses based on IPv4 address
ranges expressed as subnets
• The IP protocol number
• The source and destination Transmission Control Protocol (TCP)
and User Datagram Protocol (UDP) portsIn contrast, with Windows
Firewall you can only specify exceptions (incoming traffic that is
permitted) based on source IPv4 address ranges expressed as
subnets and destination TCP and UDP ports.
• However, with Windows Firewall, you can do the following:
• Specify exceptions based on program names
• Permit or block Internet Protocol version 6 (IPv6) traffic and specify
both port and program-based exceptions
What is an IPsec policy?
• An IPsec Policy is a group of settings that specify IPsec behavior
with regard to the types of traffic that are permitted, blocked, or
secured. An IPsec policy consists of:
• General IPsec policy settings—Settings that apply regardless of
which rules are configured. These settings determine the name of
the policy, its description for administrative purposes, how often to
check for policy changes, key exchange settings, and key exchange
methods.
• IPsec policy rules—One or more IPsec rules that determine which
types of traffic IPsec must examine, how traffic is treated, how to
authenticate an IPsec peer, and other settings such as the type of
network connection to which the rule applies and whether or not to
use IPsec tunneling
• After IPsec policies are created, an individual IPsec policy can be
assigned (activated) at the domain, site, organizational unit, and
local level.
What is an IPsec policy rule?
•
•
•
•
•
•
•
Each IPsec rule contains the following configuration items:
Filter list—A single filter list is selected that contains one or more predefined packet filters that describe the types
of traffic to which the configured filter action for this rule is applied. The filter list is configured on the IP Filter List
tab in the properties of an IPsec rule within an IPsec policy.
Filter action—A single filter action is selected that includes the type of action required (Permit, Block, or Negotiate
Security) for packets that match the filter list. For the Negotiate Security filter action, the negotiation data contains
one or more security methods that are used (in order of preference) during IKE negotiations and other IPsec
settings. Each security method determines the security protocol (such as Authentication Header [AH] or
Encapsulating Security Payload [ESP]), the specific cryptographic and hashing algorithms, and session key
regeneration settings used. The filter action is configured on the Filter Action tab in the properties of an IPsec rule
within an IPsec policy.
Authentication methods—One or more authentication methods are configured (in order of preference) and used
for authentication of IPsec peers during main mode negotiations. The available authentication methods are the
Kerberos V5 protocol, use of a certificate issued from a specified certification authority, or a preshared key. The
authentication methods are configured on the Authentication Methods tab in the properties of an IPsec rule within
an IPsec policy.
Tunnel endpoint—Specifies whether the traffic is tunneled and, if it is, the IP address of the tunnel endpoint. For
outbound traffic, the tunnel endpoint is the IP address of the IPsec tunnel peer. For inbound traffic, the tunnel
endpoint is a local IP address. The tunnel endpoint is configured on the Tunnel Setting tab in the properties of an
IPsec rule within an IPsec policy.
Connection type—Specifies whether the rule applies to local area network (LAN) connections, dial-up connections,
or both. The connection type is configured on the Connection Type tab in the properties of an IPsec rule within an
IPsec policy.
The rules for a policy are displayed in reverse alphabetical order based on the name of the filter list selected for
each rule. There is no method for specifying an order in which to apply the rules in a policy. IPsec for Windows
automatically creates an IPsec filter list and orders the list based on the most specific to the least specific filter list.
For example, a filter that specified individual IP addresses would be applied before a filter that specified all
addresses on a subnet.
When should the predefined
policies be used?
• The predefined policies should only be
used for testing and research purposes.
You should create your own IPsec policy
when deploying IPsec in a production
environment.
What is an IP filter?
• An IP filter defines a specific set of IP traffic. The
configuration parameters of an IP filter are the following:
• Source address (individual address or address range)
• Source address mask
• Source TCP port
• Source UDP port
• Destination address (individual address or address
range)
• Destination address mask
• Destination TCP port
• Destination UDP port
• IP protocol
What is an IP filter list?
• An IP filter list is a set of IP filters grouped
together under a common name, typically
for the purpose of applying a specific filter
action.
What is a filter action?
• A filter action defines how IPsec will
handle traffic. You can specify permit,
block, or secure (known as Negotiate
Security) filter actions. When you select
the secure filter action, you must also
specify security methods, authentication
methods, connection type, and whether to
use IPsec tunneling.
What does the "Allow unsecured communication
with non IPsec-aware computer" checkbox on the
"Security Methods" tab do?
• Specifies whether to allow unsecured
communications with computers that cannot
negotiate the use of IPsec or process IPsecsecured traffic. You can use this option to secure
traffic with computers on your network that are
IPsec-capable while allowing unsecured
communications with computers on your network
that are not IPsec-capable. However, when you
enable this option, unsecured traffic is allowed
when IPsec negotiations with an IPsec-capable
computer fail.
What does the "Accept unsecured communication,
but always respond using IPsec" checkbox on the
"Security Methods" tab do?
• Specifies whether to accept initial unsecured
traffic sent by another computer, but require
secure communication when replying. This
option is typically enabled on a policy that is
assigned to server computers when the client
computers have a policy assigned in which the
default response rule is enabled. This simplifies
IPsec deployment because the policy assigned
to the client computers does not have to be
configured with additional rules that initiate
secured communication to all secured servers.
What does the "Session Key perfect forward
secrecy" checkbox on the "Security
Methods" tab do?
• Specifies whether you want to renegotiate new
master key keying material each time a new
session key is required. When session key
perfect forward secrecy (PFS) is disabled, new
session keys are derived from current master
key keying material, subject to the number of
times the master key keying material can be
used to derive the session key. Although
enabling session key perfect forward secrecy
(PFS) provides greater security, performance
and throughput might be impacted.
What is the Default Response rule
used for?
•
•
•
•
The default response rule, which can be used for all policies, has the IP filter list of <Dynamic>
and the filter action of Default Response when the list of rules is viewed with the IP Security
Policies snap-in. The default response rule cannot be deleted, but it can be deactivated. It is
activated by default for all policies.
The default response rule is used to ensure that the computer responds to requests for secure
communication. If an active policy does not have a rule defined for a computer that is requesting
secure communication, then the default response rule is applied and security is negotiated. For
example, when Computer A communicates securely with Computer B, and Computer B does not
have an inbound filter defined for Computer A, the default response rule is used.
When enabled on a client computer, the default response rule allows the client to start
communicating in the clear to a server with the Accept unsecured communication, but always
respond using IPsec option enabled. The server will respond with a negotiation request that, if
successful, protects the rest of the traffic.
Security methods and authentication methods can be configured for the default response rule.
The filter list of <Dynamic> indicates that the filter list is not configured, but that filters are created
automatically based on the receipt of IKE negotiation packets. The filter action of Default
Response indicates that the action of the filter (Permit, Block, or Negotiate Security) cannot be
configured. Negotiate Security will be used. However, you can configure:
–
–
The security methods and their preference order on the Security Methods tab.
The authentication methods and their preference order on the Authentication Methods tab.
How are IPsec policies applied in the
Active Directory directory service?
• For computers that obtain their IPsec policy through Active
Directory-based group policy, the IPsec policy applied is the one
assigned to the Group Policy object (GPO) that is closest to the
computer in the Active Directory domain structure, when following
the domain structure up to the root of the domain. For example, if a
computer is a member of an organizational unit (OU), then the IPsec
policy assigned to that OU's GPO would be the one applied.
However, if the OU's GPO does not have an assigned IPsec policy,
then the computer will apply the IPsec policy assigned to the GPO in
the next OU up the Active Directory tree towards the root.
• The IPsec policies in different GPOs are not merged. Only one
IPsec policy is applied, the one assigned with the closest GPO
towards the root of the Active Directory tree.
Can I use IPsec to secure multicast or
broadcast traffic? What about blocking it?
• No. IPsec does not secure multicast or
broadcast traffic. However, you can
configure IPsec to block multicast or
broadcast traffic.
How does IPsec for Windows
determine filter ordering?
• IPsec for Windows derives an IPsec filter list
from the rules of the assigned IPsec policy. The
IPsec filter list, which is derived from but
different than the IP filter lists configured in the
IPsec policy, is the end result of the policy
configuration, specifying the exact set of
interesting traffic and how it is to be handled.
The IPsec filter list is ordered by a weight value,
which is based on how specific the originally
defined IP filter is; more specific IP filters will
produce IPsec filters with a higher weight value.
For more information, see IPsec Filter Ordering.
What happens when filters conflict?
• Conflicting IPsec filters contain the same value
for addressing, ports, and the IP Protocol field
value, but have different filter actions. For
example, one IPsec filter may permit and the
other IPsec filter may block. When there are
conflicting IPsec filters, the IPsec filter with the
most restrictive filter action is added to the IPsec
filter list. The block filter action is more restrictive
than the secure filter action, which is more
restrictive than the permit filter action.
Do you need to exempt DNS traffic
from being secured with IPsec?
• Yes. You should create an exemption that
permits DNS traffic (TCP port 53 and UDP
port 53).
Do you need to exempt NetBIOS over TCP/IP
name resolution traffic from being secured with
IPsec?
• Yes. You should create an exemption that
permits NetBIOS over TCP/IP name
resolution traffic, commonly sent between
client computers and Windows Internet
Name Service (WINS) server computers
(UDP port 137).
Do I need to configure Windows
Firewall for exceptions for IPsec traffic?
• No. IPsec for Windows automatically
creates the exceptions for IPsec
negotiation traffic (UDP ports 500 and
4500) when the active IPsec policy
requires secure traffic.
Why does Microsoft recommend against using
preshared key authentication for IPsec?
• The use of preshared key authentication is not
recommended because it is a relatively weak
authentication method. Preshared key authentication
creates a master key that is less secure than digital
certificates or the Kerberos V5 protocol. In addition,
preshared keys are stored in plaintext and can be
viewed by users with administrator-level privileges.
Preshared key authentication is provided for
interoperability purposes and to adhere to IPsec
standards. It is recommended that you use preshared
keys only for testing and that you use digital certificates
or Kerberos V5 instead in a production environment.
Why does IPsec use computer
authentication and not user authentication?
• IPsec is designed for computer-tocomputer security services and is
independent of the actual traffic being
secured. User credentials are employed
by Application layer components, rather
than Network layer components.
Additionally, IPsec might need to secure
traffic before a user has logged on to the
computer.
What certificate attributes are required
for IPsec to accept the certificate?
• IPsec requires the following attributes for
certificates used in IPsec authentication:
– Must contain an RSA public key that has a
corresponding private key that can be used for RSA
signatures
– Cannot be expired
– Must have been issued from a trusted root
certification authority
• For additional information, see the "IKE Main
Mode and Quick Mode Negotiation" section of
How IPsec Works.
Is AES encryption supported?
• No. The Microsoft implementation of IPsec
in current versions of Windows does not
support the Advanced Encryption
Standard (AES). Support for AES is being
considered for future versions of Windows.
Why would I use 3DES over DES
encryption?
• Triple Data Encryption Standard (3DES) is
recommended because it is more secure
than DES. Use DES when securing traffic
to third-party IPsec peers that do not
support 3DES. Windows XP, Windows
Server 2003, and Windows 2000 (Service
Pack 1 and higher) support 3DES.
Why would I use SHA1 over MD5
for hashing?
• Secure Hash Algorithm 1 (SHA1) is
recommended because it is more secure
than Message Digest 5 (MD5). Use MD5
when securing traffic to third-party IPsec
peers that do not support MD5. Windows
XP, Windows Server 2003, and Windows
2000 (Service Pack 1 and higher) support
SHA1.
How many simultaneous IPsec connections can be
sustained on a basic server computer?
•
Results vary because there are many factors affecting the performance of IPsec such
as processor speed and the types of network adapters. In Microsoft testing, the
following results were achieved on an Intel Pentium III-based computer, running at
993 MHz, and with 384 MB of RAM:
•
Time between initiated negotiations (ms) Security associations (SAs) established (SAs/sec)
•
250
15.79762
•
200
19.27202
•
150
19.38969
•
100
17.99813
•
50
18.7118
•
0
5.49884
•
The most time and processor-intensive part of an IPsec-secured connection is the
main mode negotiation, from which the master key is derived.
What is IPsec offload? What effect
does it have on performance?
• IPsec offload is the offloading of IPsec
cryptographic calculations to high-performance
firmware on network adapters, rather than
having those calculations being performed using
the computer's processor. Some IPsec offload
adapters can perform DES, 3DES, SHA1
HMAC, MD5 HMAC, and even Diffie-Hellman
key determination calculations. Using IPsec
offload adapters can have a significant impact
on performance.
Can I use IPsec with network load balancing (NLB)? Can
we use IPsec with Microsoft Cluster Server (MSCS)?
• Yes. IPsec for Windows supports NLB and
MSCS cluster scenarios. However, IPsec
sessions do not fail over. For more
information, see IPsec is not designed for
failover.
What performance counters are
available?
• There are no performance counters in
current versions of Windows to monitor
IPsec-secured traffic.
What monitoring tools can I use for
IPsec?
• For computers running Windows 2000, you can use the
IP Security Monitor tool. Click Start, click Run, type
ipsecmon.exe, and then click OK.
• For computers running Windows XP or Windows Server
2003, you can use the IP Security Monitor snap-in. For
more information, see To start the IP Security Policy
Management snap-in.
• For computers running Windows XP, you can use the
ipseccmd \\computer show all command.
• For computers running Windows Server 2003, you can
use the netsh ipsec static show or netsh ipsec
dynamic show commands.
How can I view my current IPsec
security associations (SAs)?
• For computers running Windows 2000, you can use the
IP Security Monitor tool. Click Start, click Run, type
ipsecmon.exe, and then click OK SAs are listed in the
Security Associations portion of the IP Security
Monitor window.
• For computers running Windows XP or Windows Server
2003, you can use the IP Security Monitor snap-in. For
more information, see To start the IP Security Policy
Management snap-in.
• For computers running Windows XP, you can use the
ipseccmd\\computershow all command.
• For computers running Windows Server 2003, you can
use the netsh ipsec static show or netsh ipsec
dynamic show commands.
How do you turn on Oakley logging?
Where is the log file stored?
• The Oakley log records all IKE (ISAKMP) main mode
and quick mode negotiations. To enable Oakley logging,
do the following:
– For computers running Windows 2000, set the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\P
olicyAgent\Oakley\EnableLogging registry setting to 1. The
Oakley key does not exist by default and must be created.
– For computers running Windows XP, use the ipseccmd set logike
command.
– For computers running Windows Server 2003, use the netsh
ipsec dynamic set config ikelogging 1 command.
• The Oakley log is stored in the systemroot\Debug folder.
A new Oakley.log file is created each time the IPsec
Policy Agent is started and the previous version of the
Oakley.log file is saved as Oakley.log.sav.
How do I troubleshoot communications
that are encrypted by IPsec?
• Because the IP payloads have been encrypted
with IPsec, it is not possible to perform
troubleshooting based on the contents of IPsecprotected packet payloads. For example, you
cannot use an intermediate router or firewall to
capture and interpret IPsec-protected packets.
You can perform some troubleshooting based on
the presence of encrypted packets, how many
are sent, and when they are sent.
Can I use Microsoft Network Monitor to
troubleshoot IPsec traffic?
• Yes. Network Monitor is included with
Microsoft Systems Management Server,
Windows 2000 Server, Windows Server
2003, and features protocol parsers for
IKE (displayed as ISAKMP), AH, and ESP.
However, Network Monitor does not parse
the encrypted portions of IPsec-protected
traffic.
What settings do I need to enable
IPsec event logging?
• You can use the Windows XP Event Viewer snap-in to view the
following IPsec-related events:
• IPsec Policy Agent events in the audit log.
• IPsec driver events in the system log. To enable IPsec driver event
logging, set the
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\
IPSEC\DiagnosticMode registry setting to 1. You must restart the
computer for this change to take effect. The IPsec driver only writes
events to the system log once an hour.
• IKE events (SA details) in the audit log. To view these events,
enable success or failure auditing for the Audit logon events audit
policy for your domain or local computer. For more information, see
To establish an audit policy.
• IPsec policy change events in the audit log. To view these events,
enable success or failure auditing for the Audit policy change audit
policy for your domain or local computer. For more information, see
To establish an audit policy.
How does IPsec work with network
address translators (NATs)?
• IPsec Network Address Translator Traversal (NAT-T), a
new IETF standard, allows IPsec negotiation and
encapsulation of ESP-protected payloads. For more
information about how IPsec NAT-T works, see IPsec
NAT Traversal Overview.
• Windows XP Service Pack 2 and Windows Server 2003
has built-in support for IPsec NAT-T. L2TP/IPsec NAT-T
update for Windows XP and Windows 2000, a free
download, provides support for computers running
Windows XP with no service packs installed, Windows
XP with Service Pack 1, and Windows 2000.
How do I remove all local IPsec
policy settings?
• You can remove static local IPsec policy
settings with the following:
• The IP Security Policies snap-in for
Windows 2000, Windows XP, or Windows
Server 2003
• The Ipseccmd.exe tool for Windows XP
• Commands in the netsh ipsec static
context for Windows Server 2003
What is the difference between ESP
with authentication only and AH?
• AH provides data origin authentication and
data integrity for the entire IP packet (with
the exception of some fields in the IP
header that must change in transit). ESP
with authentication only (also known as
ESP null) provides data origin
authentication and data integrity for only
the IP payload.
Why would you want both AH and
ESP?
• ESP provides data confidentiality, data
origin authentication, and data integrity for
the IP payload. ESP does not provide data
origin authentication and data integrity for
the IP header. If you want to protect the IP
header for ESP-encrypted packets, you
must use both AH and ESP. By protecting
the IP header, you can detect and
eliminate most types of network attacks
that rely on the spoofing of IP addresses.
What is IPsec main mode
negotiation?
• The negotiation of a secured IPsec session has two distinct phases:
main mode and quick mode. The main mode negotiation creates a
bidirectional main mode SA (also known as an ISAKMP SA), which
is a secure channel through which the quick mode negotiation and
all future IKE traffic takes place.
• Main mode negotiation accomplishes the following:
– Negotiates security parameters for IKE traffic. These include the
authentication method, lifetime of the main mode SA, the DiffieHellman group to be used to generate a shared secret, and how
the IKE traffic is to be protected (encryption and HMAC
algorithms).
– Exchanges Diffie-Hellman keying material. For a set of publicly
exchanged keys, a mutually determined secret key is calculated.
– Authenticates the identities of the IPsec peers (Kerberos, digital
certificates, or preshared key)
What is IPsec quick mode
negotiation?
• IPsec quick mode negotiation creates the unidirectional
quick mode SAs (also known as IPsec SAs), to secure
data traffic. During negotiation, the IPsec peers
determine the specific encryption algorithm, hashing
algorithms, the use of ESP or AH (or both), whether to
use transport or tunnel, and a description of the traffic to
protect. All quick mode negotiation messages are
protected with the main mode SA previously established.
Each successful quick mode negotiation establishes two
IPsec SAs. One SA is for inbound traffic and the other is
for outbound traffic.
What are IKE, Oakley, and ISAKMP
and how do they relate?
• Internet Key Exchange (IKE) is used to dynamically
establish SAs between IPsec peers. IKE is a hybrid of 3
protocols that is based on a framework defined by the
Internet Security Association and Key Management
Protocol (ISAKMP) and implements parts of two key
management protocols: Oakley and SKEME.
• IKE uses ISAKMP to define how two peers
communicate, including the packet formats,
retransmission timers, and message construction
requirements. IKE uses both Oakley and SKEME to
provide the mechanism and management of key
exchanges.
What is IPsec transport mode?
• IPsec transport mode provides the
protection of an IP payload through an AH
or ESP header. Typical IP payloads are
TCP segments (containing a TCP header
and TCP segment data), a UDP message
(containing a UDP header and UDP
message data), and an ICMP message
(containing an ICMP header and ICMP
message data).
What is IPsec tunnel mode?
• IPsec Tunnel mode provides the protection of an
entire IP packet by treating it as an AH or ESP
payload. With tunnel mode, an entire IP packet
is encapsulated with an AH or ESP header and
an additional IP header. The IP addresses of the
outer IP header are the tunnel endpoints, and
the IP addresses of the encapsulated IP header
are the ultimate source and destination
addresses.
How do I configure a router-based firewall to
allow IPsec for Windows traffic?
• Configure your router-based firewall to
allow the following:
– UDP port 500 (IKE traffic)
– UDP port 4500 (IPsec NAT-T traffic)
– IP protocol 50 (ESP-protected traffic)
– IP protocol 51 (AH-protected traffic)
What are the IPsec registry keys?
• The main IPsec policy and configuration
details are stored under
HKEY_LOCAL_COMPUTER\SOFTWARE
\Policies\Microsoft\windows\IPsec. For
information about IPsec registry keys, see
IPsec Tools and Settings.
Is there a trusted man-in-themiddle attack against IPsec?
• IPsec is vulnerable to a trusted man-in-themiddle attack if someone gains access to the
private information that the IPsec peers use to
authenticate each other. The risk of this attack is
higher if preshared keys are used as the
authentication method. For this reason,
Microsoft recommends that preshared keys be
used only in test environments. If certificates are
used as the authentication method, the risk of a
man-in-the-middle attacked is significantly
reduced.
What is the idle timeout for quick
mode SAs?
• If a quick mode SA is not used to secure
traffic for a specific period of time, it is
removed and a new SA is negotiated. This
timeout period is 5 minutes.
When IPsec peers are separated by a NAT,
will IPsec negotiation happen over UDP port
4500 or UDP port 500?
• When peers negotiate a main mode SA
across a NAT, only the initial IKE message
from the initiating IPsec peer uses UPD
port 500. All other IKE traffic is sent over
UDP port 4500.
When IPsec peers are separated by a NAT,
will IPsec negotiation happen over UDP port
4500 or UDP port 500?
• When peers negotiate a main mode SA
across a NAT, only the initial IKE message
from the initiating IPsec peer uses UPD
port 500. All other IKE traffic is sent over
UDP port 4500.
How does the faster failover for IPsec with
Network Load Balancing (NLB) and
Microsoft Cluster Server (MSCS) work?
• For computers running Windows Server
2003, the IKE component has the ability to
detect if a peer is a member node of a
cluster. If so, IKE changes the default
quick mode SA timeout from 5 minutes to
1 minute. If the current cluster node fails,
any SAs established to the failed node will
timeout after 1 minute and IKE will reestablish an IPsec-secured session with a
new cluster node.
How does IKE in IPsec for Windows behave
in an IKE-based denial of service attack?
• IKE limits the number of outstanding main mode
negotiations and the number of established main
mode negotiations. If there is an established
main mode SA, IKE limits the outstanding main
mode SAs to 5 per IP address/port pair. If there
is no established main mode SA, IKE limits the
outstanding main mode SAs to 35 per IP
address. If this limit is hit, IKE will drop all initial
negotiation messages from that peer until an
outstanding SA for that peer has failed, timed
out, or been established.