IPSec

[jillian]

Is it possible, in Windows 2000 or Windows 2003 to enable the IPSec
service to listen on only one nic card if you have a computer with
multiple nic's?
It is possible to enable, DNS, Wins etc to listen on only one
interface.
Any input would be appreciated.

 

[Rob Elder, MVP-Networking]

IPSec can be configured for all connections, LAN connections or RAS
connections globally but not by interface.

To solve this and the DNS/WINS issues, you might try using IP filtering on
the interface and block traffic by either port number or protocol number.

 

[Christopher Black [MSFT]]

Though not flexible (or easy), you can make IPsec only apply to particular
IP address (usually there is a 1:1 NIC to IP address mapping). The IP
addresses will have to be static and the policy cannot use the 'Me'
qualifiers.

I hope this helps
- Chris

 

[Herb Martin]

Actually IPSec can be configured by IP quite easily (either
as a source or destination or both match.)

Second, if you have trouble with an IPSec match using a
dynamic (e.g., DHCP assigned IP) it is possible to set up
your policy in a batch file using the command line utilities:
IPSecPol (Win2000), IPSecCmd (XP), or NetSh.exe (Win2003).

Although, I can imagine cases where you must leave the machine
exposed (briefly) on boot in order to determine the correct IP to
substitute into the batch file it would work pretty easily (given that
any policy in IPSec is ever easy) and about as well static policies.

I build most of my IPSec policies from a Perl script that generates
the IPSecPol commands anyway -- for complex policies it is
actually much easy than the GUI, and faster to use the Perl script
to handle the irritating syntax issues.