IPSec filtering vs. VPN

  • Thread starter Thread starter Michael A. Covington
  • Start date Start date
M

Michael A. Covington

Greetings,

I am using Microsoft IP Security Policy (on a Windows 2003 server) to drop
unwanted TCP packets like a firewall, as described here:

http://www.microsoft.com/technet/itsolutions/network/security/ipsecld.mspx

My problem is that one of my servers is hosting a VPN (through RRAS), and no
matter what I do, I can't find a setting (other than "allow everything")
that makes the VPN usable.

I tried the following filter set:

Port 1723 protocol TCP from any IP address to my IP address
Port ANY protocol 47 from any IP address to my IP address
Filter action: Permit

That didn't work. Nor did using UDP port 47 in place of any port protocol
47.

What are the correct settings? My server hosts the VPN by means of 2
network cards; am I maybe applying the settings to the wrong card?

The settings applied to all the other port numbers (to permit HTTP, FTP,
etc., and block other things) are working as advertised.

Many thanks!
 
That's a good question... Does it work if you allow Protocol 47 from
any IP address to any IP address? I think the problem is in that
one...

Also, what type of error are you getting?

Jeffrey Randow (Windows Networking & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
 
Thanks for responding. I'll get back to you...

Jeffrey Randow (MVP) said:
That's a good question... Does it work if you allow Protocol 47 from
any IP address to any IP address? I think the problem is in that
one...

Also, what type of error are you getting?

Jeffrey Randow (Windows Networking & Smart Display MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows XP Expert Zone - http://www.microsoft.com/windowsxp/expertzone
 
Back
Top