Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Windows Networking > ip security policies on vista aren't evaluated

Reply
Thread Tools Display Modes

ip security policies on vista aren't evaluated

 
 
Marco Berizzi
Guest
Posts: n/a

 
      02-26-2007, 10:44 AM
Hi everybody.
I have successfully build an ipsec policy
on Vista with the new 'netsh ipsec'. Here
is the command script:

netsh ipsec static delete all
netsh ipsec static add policy name=osw_policy description=osw mmpfs=yes
assign=yes mmsecmethods=3des-md5-2
netsh ipsec static add filterlist name=from_me_to_you
description=filter_list_for_osw_outbound
netsh ipsec static add filterlist name=from_you_to_me
description=filter_list_for_osw_inbound
netsh ipsec static add filter filterlist=from_me_to_you
description=from_me_to_you srcaddr=172.16.0.147 dstaddr=1.1.1.0 protocol=ANY
mirrored=no srcmask=255.255.255.255 dstmask=255.255.254.0 srcport=0
dstport=0
netsh ipsec static add filter filterlist=from_you_to_me
description=from_you_to_me srcaddr=1.1.1.0 dstaddr=172.16.0.147 protocol=ANY
mirrored=no srcmask=255.255.254.0 dstmask=255.255.255.255 srcport=0
dstport=0
netsh ipsec static add filteraction name=osw_tunnel_filteraction
description=quick_mode_policy qmpfs=yes inpass=no soft=no action=negotiate
qmsecmethods=ESP[3DES,MD5]:50000k/3600s
netsh ipsec static add rule name=from_me_to_you
description=osw_tunnel_rule_definition policy=osw_policy
filterlist=from_me_to_you filteraction=osw_tunnel_filteraction
tunnel=172.16.1.247 conntype=lan activate=yes kerberos=no rootca="C=YOU, bla
bla bla "
netsh ipsec static add rule name=from_you_to_me
description=osw_tunnel_rule_definition policy=osw_policy
filterlist=from_you_to_me filteraction=osw_tunnel_filteraction
tunnel=172.16.0.147 conntype=lan activate=yes kerberos=no rootca="C=YOU, bla
bla bla"

When I try to ping from Vista (172.16.0.147)
to 1.1.1.10 (any ip inside the 1.1.1.0/23
class) I always get 'request timeout'. Vista
doesn't even try to establish the tunnel with
the 172.16.1.247 ipsec peer.
It's like Vista doesn't even evaluate these
ipsec policies.

Am I missing anything?
TIA

PS: This is a standard Vista enterprise
installation, firewall is also disabled.
 
Reply With Quote
 
 
 
 
Robert L [MVP - Networking]
Guest
Posts: n/a

 
      02-26-2007, 09:23 PM
Where the Vista default gateway points to? Or post the result of ipconfig /all here.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Marco Berizzi" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)...
Hi everybody.
I have successfully build an ipsec policy
on Vista with the new 'netsh ipsec'. Here
is the command script:

netsh ipsec static delete all
netsh ipsec static add policy name=osw_policy description=osw mmpfs=yes
assign=yes mmsecmethods=3des-md5-2
netsh ipsec static add filterlist name=from_me_to_you
description=filter_list_for_osw_outbound
netsh ipsec static add filterlist name=from_you_to_me
description=filter_list_for_osw_inbound
netsh ipsec static add filter filterlist=from_me_to_you
description=from_me_to_you srcaddr=172.16.0.147 dstaddr=1.1.1.0 protocol=ANY
mirrored=no srcmask=255.255.255.255 dstmask=255.255.254.0 srcport=0
dstport=0
netsh ipsec static add filter filterlist=from_you_to_me
description=from_you_to_me srcaddr=1.1.1.0 dstaddr=172.16.0.147 protocol=ANY
mirrored=no srcmask=255.255.254.0 dstmask=255.255.255.255 srcport=0
dstport=0
netsh ipsec static add filteraction name=osw_tunnel_filteraction
description=quick_mode_policy qmpfs=yes inpass=no soft=no action=negotiate
qmsecmethods=ESP[3DES,MD5]:50000k/3600s
netsh ipsec static add rule name=from_me_to_you
description=osw_tunnel_rule_definition policy=osw_policy
filterlist=from_me_to_you filteraction=osw_tunnel_filteraction
tunnel=172.16.1.247 conntype=lan activate=yes kerberos=no rootca="C=YOU, bla
bla bla "
netsh ipsec static add rule name=from_you_to_me
description=osw_tunnel_rule_definition policy=osw_policy
filterlist=from_you_to_me filteraction=osw_tunnel_filteraction
tunnel=172.16.0.147 conntype=lan activate=yes kerberos=no rootca="C=YOU, bla
bla bla"

When I try to ping from Vista (172.16.0.147)
to 1.1.1.10 (any ip inside the 1.1.1.0/23
class) I always get 'request timeout'. Vista
doesn't even try to establish the tunnel with
the 172.16.1.247 ipsec peer.
It's like Vista doesn't even evaluate these
ipsec policies.

Am I missing anything?
TIA

PS: This is a standard Vista enterprise
installation, firewall is also disabled.
 
Reply With Quote
 
Marco Berizzi
Guest
Posts: n/a

 
      02-27-2007, 10:17 AM
"Robert L [MVP - Networking]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...

> Where the Vista default gateway points to?

172.16.1.1

> Or post the result of
> ipconfig /all here.

Here is:

Windows IP Configuration

Host Name . . . . . . . . . . . . : svista
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ve.bla.bla

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : ve.abla.bla
Description . . . . . . . . . . . : Realtek RTL8139/810x
Family Fast Ethernet NIC
Physical Address. . . . . . . . . : 00-30-05-E2-3F-28
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::786d:9f6a:3ae7:eec5%8(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.0.147(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Lease Obtained. . . . . . . . . . : marted 27 febbraio
2007 12.04.28
Lease Expires . . . . . . . . . . : marted 27 febbraio
2007 13.04.28
Default Gateway . . . . . . . . . : 172.16.1.1
DHCP Server . . . . . . . . . . . : 172.16.1.16
DHCPv6 IAID . . . . . . . . . . . : 201338885
DNS Servers . . . . . . . . . . . : 172.16.1.16
172.16.1.16
Primary WINS Server . . . . . . . : 172.16.1.16
Secondary WINS Server . . . . . . : 172.16.1.16
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 6:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling
Pseudo-Interface
Physical Address. . . . . . . . . : 02-00-54-55-4E-01
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 7:

Connection-specific DNS Suffix . : ve.bla.bla
Description . . . . . . . . . . . : isatap.ve.bla.bla
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
fe80::5efe:172.16.0.147%10(Preferred)
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 172.16.1.16
172.16.1.16
NetBIOS over Tcpip. . . . . . . . : Disabled

> "Marco Berizzi" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> Hi everybody.
> I have successfully build an ipsec policy
> on Vista with the new 'netsh ipsec'. Here
> is the command script:
>
> netsh ipsec static delete all
> netsh ipsec static add policy name=osw_policy description=osw mmpfs=yes
> assign=yes mmsecmethods=3des-md5-2
> netsh ipsec static add filterlist name=from_me_to_you
> description=filter_list_for_osw_outbound
> netsh ipsec static add filterlist name=from_you_to_me
> description=filter_list_for_osw_inbound
> netsh ipsec static add filter filterlist=from_me_to_you
> description=from_me_to_you srcaddr=172.16.0.147 dstaddr=1.1.1.0
> protocol=ANY
> mirrored=no srcmask=255.255.255.255 dstmask=255.255.254.0 srcport=0
> dstport=0
> netsh ipsec static add filter filterlist=from_you_to_me
> description=from_you_to_me srcaddr=1.1.1.0 dstaddr=172.16.0.147
> protocol=ANY
> mirrored=no srcmask=255.255.254.0 dstmask=255.255.255.255 srcport=0
> dstport=0
> netsh ipsec static add filteraction name=osw_tunnel_filteraction
> description=quick_mode_policy qmpfs=yes inpass=no soft=no
> action=negotiate
> qmsecmethods=ESP[3DES,MD5]:50000k/3600s
> netsh ipsec static add rule name=from_me_to_you
> description=osw_tunnel_rule_definition policy=osw_policy
> filterlist=from_me_to_you filteraction=osw_tunnel_filteraction
> tunnel=172.16.1.247 conntype=lan activate=yes kerberos=no rootca="C=YOU,
> bla
> bla bla "
> netsh ipsec static add rule name=from_you_to_me
> description=osw_tunnel_rule_definition policy=osw_policy
> filterlist=from_you_to_me filteraction=osw_tunnel_filteraction
> tunnel=172.16.0.147 conntype=lan activate=yes kerberos=no rootca="C=YOU,
> bla
> bla bla"
>
> When I try to ping from Vista (172.16.0.147)
> to 1.1.1.10 (any ip inside the 1.1.1.0/23
> class) I always get 'request timeout'. Vista
> doesn't even try to establish the tunnel with
> the 172.16.1.247 ipsec peer.
> It's like Vista doesn't even evaluate these
> ipsec policies.
>
> Am I missing anything?
> TIA
>
> PS: This is a standard Vista enterprise
> installation, firewall is also disabled.
>
 
Reply With Quote
 
 
 
Reply

« Cannot access shares on server | Telnet simple question »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic WiFi Security for Vista John Kinkade Wireless Internet 3 04-20-2007 09:34 PM
Zen just aren't doing it Boss Hog Broadband 50 02-08-2006 01:59 PM
Plusnet just aren't doing it Colin Broadband 2 02-08-2006 09:55 AM
Security policies Fernando Windows Networking 6 01-16-2006 02:44 PM
one win 98 PC is talking, the others aren't! J. Shilton Windows Networking 3 07-05-2003 07:08 AM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11