Click here to get back home

Creating IPSec Policy for Pre-Share Key in VPN not working.
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Creating IPSec Policy for Pre-Share Key in VPN not working. Pr3z 10-25-2005
Posted by Pr3z on October 25, 2005, 6:31 am
Please log in for more thread options
 Server 2003

I am trying to create a IPSec Policy that will allow the use of a
Pre-Share key for VPN only. I have created a VPN Security Policy in
Local Security settings under the IPSEC Policies on Local Computer.

I have it set up to permit traffic for remote acces using a pre-share
key. Filter action is to negotiate security. Connection type is Remote
Access. I have the pre-share key in.

Now it doesn't work. It blocks all traffic because when I VPN, I cannot
map drives. If I change the filter action to Permit then it leaves it
open and I can VPN and map drives without using a pre-share key. I
guess I am lost or missing a step as to where I tell it to ask or look
for the pre-share key.

Can anyone point me in the right direction? I bought a book and have
spent days searching groups and the internet.



Posted by Steven L Umbach on October 25, 2005, 8:50 am
Please log in for more thread options
 You don't give a lot of details on how you have your VPN setup but ipsec
will not work if NAT is used in the path between the client and server.
There is a NAT-T client that can be used which primarily is for l2tp/ipsec.
Also if there is a firewall protecting your server then the correct ports
need to be open in the firewall to the VPN server. You may also want to try
pptp which is secure as long as you use complex passwords [say at least 8
characters in length with complexity enabled] and fairly easy to configure.
The security log on the server may have events recorded that may also give a
clue as to what is going on if the traffic ever reached the VPN server. If
the VPN client is protected by a NAT device it needs to be configured to
allow ipsec passthrough in it's configuration options. --- Steve

http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B818043 ---
NAT-T
http://support.microsoft.com/default.aspx?scid=kb;en-us;885348 --- more
NAT-T info
http://support.microsoft.com/default.aspx?kbid=885407 --- NAT-T and XP SP2
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/428c1bbf-2ceb-4f76-a1ef-0219982eca10.mspx

--- VPN firewall rules.

> Server 2003
>
> I am trying to create a IPSec Policy that will allow the use of a
> Pre-Share key for VPN only. I have created a VPN Security Policy in
> Local Security settings under the IPSEC Policies on Local Computer.
>
> I have it set up to permit traffic for remote acces using a pre-share
> key. Filter action is to negotiate security. Connection type is Remote
> Access. I have the pre-share key in.
>
> Now it doesn't work. It blocks all traffic because when I VPN, I cannot
> map drives. If I change the filter action to Permit then it leaves it
> open and I can VPN and map drives without using a pre-share key. I
> guess I am lost or missing a step as to where I tell it to ask or look
> for the pre-share key.
>
> Can anyone point me in the right direction? I bought a book and have
> spent days searching groups and the internet.
>




Posted by Pr3z on October 25, 2005, 7:06 am
Please log in for more thread options
Well the VPN works as long as I disbale it to negotiate security on the
new policy. You still have to have a user/pass to get into the VPN and
it works fine. The firewall is open on the ports it needs to be to
allow traffic to the server for the VPN. A third-party handles the
firewall right now whcih is about to change.

We are mailly setting up the VPN so users can map the network drives
from home and access the files on it and thats all. We have a couple 98
machines that need to connect so using the pre-share key would be nice.

We are not using NAT right now. Every machines has a static IP here
which is about to change as a cisco pix is route.

I guese I am lost, I'm just needing to add a pre-share key so when a
user tries to remote access the server it requires the pre-share key or
it locks them out, and I cannot find any Server 2003 help or how-to on
this.



Posted by Steven L Umbach on October 25, 2005, 1:32 pm
Please log in for more thread options
You need to configure the pre-shared key in the Remote Access Management
console in the properties of the server in the security page - allow custom
ipsec policy for l2tp. However this will only work for XP Pro/W2003
computers if using the built in VPN client for l2tp where the PSK is
configured in the connectoid properties in the security page - ipsec
settings. For Windows 2000 and Windows 98 computers you will need to use
pptp or use l2tp with certificates in which case all your operating systems
would work. Windows 2003 Server can easily become a Certificate Authority
to issue computer certificates that are needed for both the client and VPN
server for l2tp. Without a computer certificate a computer could not access
your VPN server [assuming pre-shared is disabled on the VPN server] if it
was the only VPN method accepted which you can configure in Remote Access
Policy. L2tp is very secure since it requires both user and computer
authentication to access your VPN server. The link below has articles on
VPN that may help. -- Steve

http://www.microsoft.com/windowsserver2003/technologies/networking/vpn/default.mspx

> Well the VPN works as long as I disbale it to negotiate security on the
> new policy. You still have to have a user/pass to get into the VPN and
> it works fine. The firewall is open on the ports it needs to be to
> allow traffic to the server for the VPN. A third-party handles the
> firewall right now whcih is about to change.
>
> We are mailly setting up the VPN so users can map the network drives
> from home and access the files on it and thats all. We have a couple 98
> machines that need to connect so using the pre-share key would be nice.
>
> We are not using NAT right now. Every machines has a static IP here
> which is about to change as a cisco pix is route.
>
> I guese I am lost, I'm just needing to add a pre-share key so when a
> user tries to remote access the server it requires the pre-share key or
> it locks them out, and I cannot find any Server 2003 help or how-to on
> this.
>




Similar ThreadsPosted
Applying IPSec Policy April 6, 2007, 12:34 pm
IPSec policy on servers connected to 2 networks November 18, 2007, 1:08 pm
Creating our own certificate February 12, 2006, 10:30 am
Creating Certificate December 16, 2006, 9:16 am
creating shares that are actually writeable July 26, 2005, 11:09 am
Creating domain trusts September 23, 2006, 2:12 am
FTP site on ADC creating problems!!!! June 21, 2008, 11:49 am
Help Needed in Creating Login banner March 1, 2007, 1:03 pm
Is it possible to .PFX file when creating/issuing a certificate July 5, 2007, 12:04 pm
Creating CA and self-signed cert for EFS recovery July 19, 2007, 10:10 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap