IPSEC

  • Thread starter Thread starter Myrt Webb
  • Start date Start date
M

Myrt Webb

I have secured one of my member servers to require IPSEC
over my LAN. I used group policy to do this.

I have used "ping" to see if there are any differences but
I cannot tell if IPSEC is being used or not.

How can I find out if the policy is working?
 
IPSec isn't a firewall and there's no logging or alerting. Using a firewall
of some sort is IMHO advisable if you want that kind of functionality, such
as if you want to be able to tell the IP address of the person who hacked
you.
 
I think he is talking about using AH/ESP here, but I may be wrong. ---
Steve

Karl Levinson [x y] mvp said:
IPSec isn't a firewall and there's no logging or alerting. Using a firewall
of some sort is IMHO advisable if you want that kind of functionality, such
as if you want to be able to tell the IP address of the person who hacked
you.


Myrt Webb said:
I have secured one of my member servers to require IPSEC
over my LAN. I used group policy to do this.

I have used "ping" to see if there are any differences but
I cannot tell if IPSEC is being used or not.

How can I find out if the policy is working?
 
Myrt Webb said:
I have secured one of my member servers to require IPSEC
over my LAN. I used group policy to do this.

I have used "ping" to see if there are any differences but
I cannot tell if IPSEC is being used or not.

There may not be -- which POLICY did you use? Did
you customize one or use the defaults?

(I believe) the default leaves out the ICMP protocol so you
can still test connectivity but it is trivial to add it back in or
create a custom policy.

If you didn't choose REQUIRE (default "Secure Server" policy)
then clients who don't support IPSec (no policy configured) will
be accepted anyway.

You cannot really configure "one server" but must also configure
ALL CLIENTS to participate in IPSec.
How can I find out if the policy is working?

Monitor traffic with a NetMon (make sure you are authorized to
sniff) is the only CERTAIN way. You can use IPSecMon to see
if the machines are even setting up a secure association.
 
I guess we hardly ever see anyone asking about actually using ipsec for what
it is designed for. --- Steve

Karl Levinson [x y] mvp said:
Sorry, you could be right. My mistake.

Steven L Umbach said:
I think he is talking about using AH/ESP here, but I may be wrong. ---
Steve
 
Back
Top