Windows-Based VPNs

Microsoft Windows 2000, XP, and 2003 provide built-in support for IPSec VPN connectivity. The IPSec VPN implementation within the MS-Windows OS is based on the standard architecture described by IETF RFCs 2401 2409, thus allowing easy interoperability with various vendors. Netadmins can deploy a Windows machine as a VPN gateway to establish a site-to-site VPN with remote peers. The site-to-site VPN can use either IPSec with preshared keys (for small-scale deployment) or IPSec with CA (for large-scale deployment). Furthermore, the remote peer can be a Cisco router, PIX Firewall, or VPN 3000 concentrator.

Table 10-10 lists the IPSec parameters supported by MS-Windows. Note that only Diffie-Hellman key exchange group 1 and group 2 are supported by Microsoft. An additional feature of the Windows OS is the support for MS Active Directory based Kerberos authentication for the IPSec peer.

Table 10-10. MS-Windows IPSec Parameters
Parameter	Values
Phase 1 modes	Main Mode
Phase 2 modes	Quick Mode
Message encryption algorithm (phase 1)	DES, 3DES
Hash algorithm (phase 1)	MD5, SHA-1
Authentication (phase 1)	Preshared, digital certificates, Kerberos
Diffie-Hellman key exchange (phase 1)	D-H group 1, 2
IKE SA lifetime (phase 1)	Seconds, kilobytes
Transform set (phase 2)	AH-HMAC-MD5, AH-HMAC-SHA, ESP-3DES, ESP-DES
IPSec mode (phase 2)	Tunnel, Transport
IPSec SA (phase 2)	IKE
PFS (phase 2)	Group 1, 2
ID of the peer (phase 2)	IP address
IPSec SA lifetime (phase 2)	Kilobytes, seconds

Netadmins can leverage the Windows native IPSec support when deploying a site-to-site VPN, without paying for additional software. The following sections discuss VPN interoperability between MS-Windows and Cisco devices.

Note

MS-Windows has been the target of various network attacks. Additionally, Windows offers a plethora of features and services that can introduce additional vulnerabilities. To deploy a Windows-based VPN server that faces the Internet, always follow proper security recommendations and security best practices. Ensure that you do the following:

Apply the latest security patches and service packs.
Apply antivirus and antispyware with latest definition updates.
Use long and complex passwords.
Uninstall or disable all unnecessary applications, such as Outlook Express, Internet Explorer, Media Player, and so on.
Download and run the Microsoft Baseline Security Analyzer (MBSA) to identify potential security vulnerabilities. MBSA also provides recommendations to address the vulnerabilities.

Windows/Cisco Interoperability

Consider the network scenario shown in Figure 10-14. The two remote sites are connected to each other using an IPSec VPN tunnel through the Internet. The VPN gateway in site A is an MS-Windows (2000/XP/2003) based IPSec peer. The gateway in site B can be a Cisco IOS, PIX Firewall, or VPN 3000 concentrator acting as the IPSec peer.

Figure 10-14. LAN-to-LAN VPN

Establishing the VPN tunnel between the two remote sites uses the following two steps:

1.	Deploying IPSec on Windows
2.	Deploying IPSec on Cisco devices

Deploying IPSec on Windows

Deploying an IPSec-based VPN on a Windows machine is a two-stage process. You first prepare the Windows machine according to certain prerequisites for its role as an IPSec-based VPN gateway. Next is the configuration of various IPSec parameters. After the IPSec server is configured and running, you can monitor the IPSec operation using built-in tools and utilities on the Windows machine.

Prerequisites

By default, Windows machines are not ready for their role as an IPSec VPN gateway. To configure a Windows machine as an IPSec server, certain prerequisites must be met. Following is a brief list of these requirements:

Service packs Ensure that the latest service packs are installed on the IPSec server. Also note that unlike Windows XP and 2003, which are IPSec ready, Windows 2000 must be upgraded to at least Service Pack 2 to enable IPSec with 3DES.
Multihomed The Windows machine should have two NICs, one connected to the inside LAN and the other facing the Internet.
IP routing Ensure that IP routing is enabled on the Windows machine. By default, IP routing is disabled on Windows but is required to allow LAN traffic to be forwarded to the Internet. To enable IP routing, change the following Windows registry key value to 1:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter
Firewall Host and network firewalls should allow UDP port 500 and protocol 50 to reach the Windows machine.
Network connectivity Before setting up the VPN tunnel, the LAN hosts should have Internet connectivity. Additionally, local hosts must be configured to use the Windows machine as the router to access the remote LAN.

Caution

Although site-to-site VPNs ease the administrative burden on the Netadmin, they are a security risk, because the remote LAN users have full access to the local resources. Netadmins must always scrutinize the risks involved and ensure that the local resources are well protected through firewalls, intrusion detection systems (IDSs), and other access-control mechanisms.

Configuration

To configure a Windows IPSec VPN, follow these steps:

Step 1.	Create an IPSec policy.
Step 2.	Identify interesting traffic using the following filter lists: Traffic from the local site to the remote site Traffic from the remote site to the local site
Step 3.	Configure phase 2 (IPSec) parameters using the following tunnel rules: Local-to-remote tunnel Remote-to-local tunnel
Step 4.	Configure phase 1 (IKE) parameters.
Step 5.	Assign the IPSec policy to the Windows gateway.

Note that each of these tasks must be carried out sequentially. All the steps are mandatory and must follow the order described in the following sections.

Step 1: Create an IPSec Policy

The steps used to create an IPSec policy on a Windows host are listed in Table 10-11.

Table 10-11. Creating an IPSec Policy
Step	Action
1	Choose Start > Run and enter secpol.msc to launch the IP Security Policy Management snap-in. (See Figure 10-15.)
2	Right-click IP Security Policies on Local Computer, and choose Create IP Security Policy.
3	Click the Next button, and enter a name for your policy (for example, windows-cisco-policy).
4	Deselect the Activate the default response rule check box, and then click the Next button.
5	Click the Finish button while the Edit check box is deselected.

Figure 10-15. Windows IP Security Policy Management Snap-In

Step 2: Identify Interesting Traffic Using Filter Lists

Windows IPSec policy uses filter lists to identify traffic flowing in each direction. Hence, two filters are created for every IPSec tunnel: one for traffic destined for the remote LAN and a second for the traffic from the remote LAN. This task is similar to the mirrored access list used in IOS or PIX to define interesting traffic.

The steps used to create filter lists for traffic flowing from site A to site B are listed in Table 10-12.

Table 10-12. Traffic Filter List Site A to B
Step	Action
1	In the left pane of the IP Security Policy Management snap-in window, click to select IP Security Policies on Local Computer. The right pane lists the policy created in the previous section (windows-cisco-policy).
2	Right-click windows-cisco-policy and select Properties to launch the Properties window.
3	In the windows-cisco-policy Properties window, deselect the Use Add Wizard check box, and then click the Add button to launch the New Rule Properties window. (See Figure 10-16.)
4	On the IP Filter List tab, click the Add button.
5	Type an appropriate name for the filter list (for example, windows-to-cisco), deselect the Use Add Wizard check box, and then click the Add button.
6	In the Source address area, choose A specific IP Subnet from the drop-down menu and fill in the IP Address and Subnet mask fields to reflect site A (192.168.10.0/ 255.255.255.0). (See Figure 10-17.)
7	In the Destination address area, choose A specific IP Subnet from the drop-down menu and fill in the IP Address and Subnet mask fields to reflect site B (192.168.20.0/ 255.255.255.0).
8	Deselect the Mirrored check box.
9	On the Protocol tab, make sure that the protocol type is set to Any.
10	To add a description for your filter, click the Description tab. You should give the filter the same name that you used for the filter list. The filter name is displayed in the IPSec monitor when the tunnel is active. Click the OK button to return to the IP Filter List window.
11	Click the OK button to return to the New Rule Properties window. Do not close this window because it is used in the next set of steps.

Figure 10-16. New Rule Properties Window

Figure 10-17. Filter Properties Window

The steps used to create filter lists for traffic flowing from site B to site A are listed in Table 10-13. The steps are similar to those discussed in the previous table, with one obvious exception: The source and destination addresses are reversed.

Table 10-13. Traffic Filter List Site B to A
Step	Action
1	In the New Rule Properties Window (discussed in the previous table), select the IP Filter List tab and click the Add button.
2	Type an appropriate name for the filter list (for example, cisco-to-windows), deselect the Use Add Wizard check box, and click the Add button.
3	In the Source address area, choose A specific IP Subnet from the drop-down menu and fill in the IP Address and Subnet mask fields to reflect site B (192.168.20.0/ 255.255.255.0).
4	In the Destination address area, choose A specific IP Subnet from the drop-down menu and fill in the IP Address and Subnet mask fields to reflect site A (192.168.10.0/ 255.255.255.0).
5	Deselect the Mirrored check box.
6	To add a description for your filter, click the Description tab.
7	Click the OK button to return to the IP Filter List window, and then click the OK button to return to the New Rule Properties window. The IP Filter List tab now shows both new filters. (See Figure 10-18.)

Figure 10-18. New Rule Properties Window

Step 3: Configure Phase 2 Parameters

Windows uses tunnel rules to define the phase 2 (IPSec SA) parameters. Because each IPSec tunnel is described by two unique one-way SAs, two rules should be configured. This task is roughly equivalent to creating crypto maps and transforms sets on Cisco devices.

The steps used to configure a rule for the site A to site B tunnel SA are listed in Table 10-14.

Table 10-14. Phase 2 Rules Site A to B
Step	Action
1	On the IP Filter List tab, select the windows-to-cisco filter list you created.
2	On the Tunnel Setting tab, select the The tunnel endpoint is specified by this IP Address check box and then type the public IP address of the Cisco device (200.1.1.1).
3	On the Connection Type tab, select the Local Area network (LAN) check box.
4	On the Filter Action tab, deselect the Use Add Wizard check box and then click the Add button to create a new filter action.
5	Keep the Negotiate security option selected and click the Add button. Select the Custom option and then click the Settings button to launch the Custom Security Method Settings window. (See Figure 10-19.) This window is used to define specific algorithms and session key lifetimes.
6	Deselect the Data and address integrity without encryption (AH) check box. Select the Data integrity and encryption (ESP) check box, choose MD5 as the integrity algorithm, and select 3DES as the encryption algorithm. In the Session key settings section, only select the Generate a new key every 3600 seconds check box and click the OK button. In the Modify Security Method window, click the OK button to return to the New Filter Action Properties window.
7	In the New Filter Action Properties window, select the Session key Perfect Forward Secrecy (PFS) check box. Also click to clear the Accept unsecured communication, but always respond using IPSec and the Allow unsecured communications with non-IPSec-aware computer options. On the General tab, type a name for the new filter action (for example, ESP-3DES-MD5) and then click the OK button.
8	Select the filter action you just created (ESP-3DES-MD5 in this example).
9	On the Authentication Methods tab, select Edit to launch the Edit Authentication Method Properties page. On the Edit Authentication Method Properties page, select the Use this string (preshared keys) option (radio button) and specify the preshared key (for example, cisco123); then click the OK button.
10	Click the Close button to return to the windows-cisco-policy Properties window.

Figure 10-19. Custom Security Method Settings Window

The steps used to configure a rule for the site B to site A tunnel SA are listed in Table 10-15.

Table 10-15. Phase 2 Rules Site B to A
Step	Action
1	In the windows-cisco-policy Properties window, click the Add button to create a new rule. This launches the New Rule Properties window.
2	On the IP Filter List tab, click the filter that list you created (cisco-to-windows).
3	On the Tunnel Setting tab, select the The tunnel endpoint is specified by this IP Address check box and then enter the public IP address of the local IPSec peer (99.1.1.1).
4	On the Connection Type tab, select the Local Area network (LAN) check box.
5	On the Filter Action tab, click the filter action that you created (ESP-3DES-MD5).
6	On the Authentication Methods tab, configure the same preshared key.
7	Click the OK button to return to the windows-cisco-policy Properties window. This window should show both rules that were created and configured during the previous steps. Also, ensure that both of these rules are selected, as shown in Figure 10-20. Do not close the windows-cisco-policy Properties window yet, because it is required to configure the phase 1 parameters.

Figure 10-20. Policy Properties Window

Step 4: Configure Phase 1 (IKE) Parameters

The IKE parameters for a Windows IPSec policy are configured through the General tab of the IPSec Policy Properties page. This task is similar to the crypto isakmp configuration for Cisco devices.

The steps used to configure the IKE parameters are listed in Table 10-16.

Table 10-16. Phase 1 Parameters
Step	Action
1	On the General tab of the windows-cisco-policy Properties window, set the Check for policy changes every field to 180 minutes.
2	Click the Advanced button, deselect the Master key PFS check box, and set the Authenticate and generate a new key after every field to 480 minutes.
3	Click Methods button to launch the Key Exchange security Methods window. In this window, at least one of the methods should be set to MD5-3DES-Medium-(2) combination and should be assigned higher preference using the Move Up button. Click the OK button to return to the Key Exchange Setting window.
4	Click the OK button to save your changes and return to the IPSec Policy Properties page.

Step 5: Assign the IPSec Policy to the Windows Gateway

After the IPSec policy is configured, the policy should be assigned to the Windows VPN gateway. This task is similar to applying the crypto map on the interfaces of Cisco devices.

To assign the new policy, right-click the new policy (for example, windows-cisco-policy) in the IP Security Policy Management MMC snap-in and then click the Assign button. A green arrow appears in the folder icon next to the policy.

After the policy is assigned, the Windows machine is ready to act as a VPN gateway. Assuming that the remote peer is configured properly, the traffic between the two LANs will be protected by IPSec. A simple ping from one of the local hosts to a host in the remote LAN can verify the operation of the IPSec tunnel.

Monitoring and Troubleshooting

To monitor and troubleshoot IPSec service in Windows, the most popular options are as follows:

Windows Services console
IP Security Monitor
Windows Event Viewer

Services Console

For troubleshooting purposes, you might need to stop or restart IPSec services. Moreover, IPSec services must be restarted after making changes to the IPSec configuration. Stopping the IPSec services disables all the IPSec functionality and drops the existing IPSec sessions and tunnels. IPSec services are controlled through the Windows Services MMC snap-in console. The steps to restart IPSec services are as follows:

Step 1.	Choose Start > Run on the Windows machine. In the Run window, enter services.msc and click the OK button. This launches the Windows Services console.
Step 2.	In the Services console window, right-click IPSEC Services and select Restart. Note that in addition to the restart option, the right-click menu also provides options to start or stop IPSec services.

IP Security Monitor

Windows provides built-in utilities for monitoring IPSec sessions. These tools provide details regarding the current phase 1 and phase 2 SAs that are established on the local Windows machine. The tools also provide IPSec and ISAKMP statistics that are helpful in troubleshooting IPSec issues.

Windows 2000 provides the ipsecmon.exe utility to monitor the live IPSec activities. To launch ipsecmon.exe, choose Start > Run, enter ipsecmon.exe, and click the OK button.

Windows XP and 2003 provide the IP Security Monitor console to monitor the current IPSec activities. Follow these steps to launch the IP Security Monitor console:

Step 1.

Start the MMC console by choosing Start > Run, entering mmc, and clicking the OK button.

Step 2.

Choose File > Add-remove Snap-in to launch the Add/Remove Snap-in window. Click on the Add button to launch the Add Standalone Snap-in window. Select the IP Security Monitor and click Add button followed by clicking Close button to return to the Add/Remove Snap-in window. Click OK button to return to the console window. The IP security monitor snap-in is now ready for monitoring IPSec operation. When the IP Security Monitor console is opened, you can monitor the IPSec sessions. In the left pane of the IP Security Monitor snap-in window, navigate to IP Security Monitor > Local-Hostname. (Local-Hostname is the host name assigned to the Windows computer that is acting as the IPSec VPN gateway.) Right-click Local-Hostname and select Statistics to view the summarized statistics for the current IPSec sessions, as shown in Figure 10-21. Of the various parameters listed in this window, the Bytes Sent In Tunnels and Bytes Received In Tunnels parameters are useful in identifying the operation of IPSec. A constantly incrementing value of each of these parameters indicates that VPN traffic is flowing through the IPSec peers as desired.

Figure 10-21. Windows IPSec Statistics

The IP Security Monitor console also displays the current Main Mode (phase 1) and Quick Mode (phase 2) details. To view the Main Mode SAs, navigate to Main Mode > Security Associations, as shown in Figure 10-22.

Figure 10-22. Windows IPSec Main Mode

The right pane shows the current Main Mode SAs. If the Main Mode negotiation between the IPSec peers fails, this window will be empty. Double-click the SA to view the details, as shown in Figure 10-23.

Figure 10-23. Windows IPSec Main Mode Details

Similarly, Figure 10-24 shows the details of an SA established in Quick Mode. The Quick Mode SAs are only displayed after the peers successfully negotiate phase 2.

Figure 10-24. Windows IPSec Quick Mode Statistics

Additionally, the details of both Main and Quick Mode SAs display the IP addresses of the local (source) and remote (destination) LANs. This information can verify that IPSec is indeed tunneling the traffic as configured.

Event Viewer

To enable IPSec services logging the IKE and IPSec negotiations in the Windows Event Viewer, use the Local Policy MMC snap-in by following these steps:

Step 1.	Start the MMC console by choosing Start > Run, entering mmc, and clicking the OK button.
Step 2.	Choose File > Add-remove Snap-in > Add > Group Policy > Add > Finish > Close > OK to add the Local Security Policy snap-in. Choose File > Add-remove Snap-in to launch the Add/Remove Snap-in window. Click on the Add button to launch the Add Standalone Snap-in window. Select Group Policy and click Add button followed by clicking Close button to return to the Add/Remove Snap-in window. Click OK button to return to the console window.
Step 3.	In the Console window, navigate to the following location: Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy Under the Audit Policy window, for both the Audit logon events and Audit policy changes options, enable the auditing of Success and Failure attempts.
Step 4.	Restart the computer.

The IPSec logs can be viewed in the Security section of the Windows Event Viewer.

Caution

The IKE process creates a large number of audit logs. To disable IKE logs, create the following registry key and set its value to 1:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Audit\DisableIKEAudits

Deploying IPSec on Cisco Devices

The configurations for Cisco PIX Firewalls, IOS, and VPN concentrators are similar to those discussed in the section "Linux-Based VPNs," earlier in this chapter; the Diffie-Hellman group identifier is the only exception. Because MS-Windows only supports D-H groups 1 and 2, the configuration for Cisco devices should be modified to use D-H group 2 and PFS group 2.

The following are partial configurations for Cisco devices:

IOS-based IPSec VPN Refer to Example 10-18.
PIX-based IPSec VPN Refer to Example 10-19.
VPN 3000 based IPSec VPN Refer to Example 10-20.

Example 10-18. IOS Partial Configuration for IPSec

 Cisco-rtr#show running-config ! Phase 1 configuration                                                 crypto isakmp policy 3  encr 3des  hash md5 authentication pre-share ! MS-Windows only support DH group 1 & 2                                group 2                                                                 crypto isakmp key cisco123 address 99.1.1.1 !Phase 2 Configuration                                                  crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto map vpn 30 ipsec-isakmp  set peer 99.1.1.1  set transform-set myset ! MS-Windows only support DH group 1 & 2                                ! set pfs group2                                                         match address 100 ! interface Ethernet0/0  ip address 192.168.20.1 255.255.255.0 ! interface Serial0/0  ip address 200.1.1.1 255.255.255.252  crypto map vpn ! ip route 0.0.0.0 0.0.0.0 200.1.1.2 ! access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 ! end

Example 10-19. PIX Partial Configuration for IPSec

 PIX-FW# show running-config hostname PIX-FW domain-name VPNtest.com access-list 101 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255   .255.255.0 access-list 102 permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255   .255.255.0 ip address outside 200.1.1.1 255.255.255.0 ip address inside 192.168.20.1 255.255.255.0 global (outside) 1 interface nat (inside) 0 access-list 102 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 120 in interface outside route outside 0.0.0.0 0.0.0.0 200.1.1.2 1 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address 101 ! MS-Windows only support DH group 1 and 2                            crypto map mymap 10 set pfs group2 crypto map mymap 10 set peer 99.1.1.1 crypto map mymap 10 set transform-set myset crypto map mymap interface outside ! Define IKE parameters                                               ! isakmp enable outside isakmp key ******** address 99.1.1.1 netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 ! MS-Windows only support DH group 1 and 2                            isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 : end

Example 10-20. VPN 3000 Partial Configuration for IPSec

 IKE proposal: Configuration > Tunneling and Security > IPSec > IKE Proposals > Add. Proposal Name = Proposal-1 Authentication Mode = Preshared Keys Authentication Algorithm = MD5/HMAC-128 Encryption Algorithm = 3DES-168 !---Windows supports Diffie-Hellman group 2                                         Diffie Hellman Group = Group 2 (1024-bits) Lifetime Measurement = Time Date Lifetime = 10000 Time Lifetime = 86400 Define the LAN-to-LAN tunnel: Configuration > Tunneling and Security > IPSec > LAN-  to-LAN > Add.: Enabled= checked Name = new-vpn Interface = Ethernet 2 (Public) (200.1.1.1) Connection Type= Bi-directional Peer = 99.1.1.1 Digital Certs = none (Use Pre-shared Keys) Pre-shared key = cisco123 Authentication = ESP/MD5/HMAC-128 Encryption = 3DES-168 IKE Proposal = Proposal-1 Filter= --None-- IPSec NAT-T= unchecked Bandwidth Policy= --None-- Routing= --None-- ! Local Network Network List = Use IP Address/Wildcard-mask below IP Address= 192.168.20.0 Wildcard Mask = 0.0.0.255 ! Remote Network Network List = Use IP Address/Wildcard-mask below IP Address= 192.168.10.0 Wildcard Mask= 0.0.0.255 Security Association: Configuration > Policy Management > Traffic Management > SAs  > L2L:new-vpn > Modify. SA Name = L2L: new-vpn Inheritance = From Rule ! IPSec Parameters Authentication Algorithm = ESP/MD5/HMAC-128 Encryption Algorithm = 3DES-168 Encapsulation Mode = Tunnel !---Windows supports Diffie-Hellman group 2                                         PFS = Group2 (1024-bits) Lifetime Measurement = Time Data Lifetime = 10000 Time Lifetime = 28800 ! IKE Parameters Connection Type= Bidirectional IKE Peer = 99.1.1.1 Negotiation Mode = Main Digital Certificate = None (Use Preshared Keys) Certificate Transmission= Identity certificate only IKE Proposal= Proposal-1

Table 10-10. MS-Windows IPSec Parameters