IPsec port configuration example. CPX to Win2000/XP.

Manual mode
IKE mode
    Transport (host-to-host)
    Transport (host-to-2 anonymous hosts)
    Tunnel (gateway-to-gateway)

Manual mode   top

Manual mode is not supported by Windows2000/XP.

IKE mode   top

MODE parameter of the IPsec driver must be set to the IKE mode. 
 
[21:14:29] CPX:d p po:ipsec

PO:920 
IPSEC  ------------------------------------------------------------------------
       LOG:DS         ACT:YES    MODE:IKE     mxps:2048   IN-CHK:YES  TTL:0
       ECN:FORBIDDEN  DF:CLEAR
IKE port must be activated (set ACT parameter to the YES): 
 
[21:14:32] CPX:d p po:ike

PO:921 ------------------------------------------------------------------------
IKE    LOG:DS       lowpo:902       ACT:YES       mxps:2048   NRTY:3    TB:10
       WDIR:C:\APP\IKE\
       NATT:NO      NATT-N-IKE:YES  NATT-PF:YES  NATT-KA:20
For all examples set win2k/XP autentication method to pre-shared key (PSK):

Figures 1, 2. Win2k/XP PSK method settings.

IKE mode. Transport (host-to-host)   top

Figure 3. Host-to-host layout.


CPX (host) has IP interface 0 with 192.168.2.1 IP address.
Win2k/XP (host) has IP interface with 192.168.2.2 IP address.

CPX can begin to negotiate IPsec connection.

CPX.

IKE host connections table: 
[21:30:22] CPX:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX-to-Win2k/XP                  192.168.002.001      1       3
      3DES      PSK   MD5   MODP1024   192.168.002.002      AUTO    3600
      IP              192.168.002.001
      IP              192.168.002.002
-------------------------------------------------------------------------------
IKE client connections table: 
[21:30:58] CPX:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX-to-Win2k/XP                  0        IPSEC        28800         NO
     YES  DES         SHA             NO       NO           192.168.002.001/32
     NO               MD5                      NO           192.168.002.002/32
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       YES          000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------
IKE PSK table: 
[21:30:19] CPX_1:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        192.168.002.2

Win2k/XP.

Reset tunnel settings:

Figure 4. Win2k/XP tunnel settings: transport.

Set IP filter properties:

Figure 5. Win2k/XP transport IP filter.

Set ISAKMP settings:

Figures 6-8. Win2k/XP ISAKMP settings: MD5, 3DES, DH-1024 (Medium 2).

Set IPSec settings:

Figures 9-11. Win2k/XP IPsec settings: ESP (DES, SHA-1), PFS is disabled.


IKE mode. Transport (host-to-2 anonymous hosts)   top

Figure 12. Host-to-2 anonymous hosts layout.

CPX is in the PASSIVE mode (IPsec server).

CPX.

IKE host connections table: 
[21:30:22] CPX:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX-to-Win2k/XP_1                192.168.002.001      1       3
      3DES      PSK   MD5   MODP1024   *                    AUTO    3600
      IP              192.168.002.001
      FQDN                             konstt
-------------------------------------------------------------------------------
1     CPX-to-Win2k/XP_2                192.168.002.001      1       3
      3DES      PSK   MD5   MODP1024   *                    AUTO    3600
      IP              192.168.002.001
      FQDN                             castagna   
-------------------------------------------------------------------------------
IKE client connections table: 
[21:30:58] CPX:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX-to-Win2k/XP_1                0        IPSEC        28800         YES
     YES  3DES        SHA             YES      NO           192.168.002.001/32
     YES              MD5                      NO           192.168.002.002/32
-------------------------------------------------------------------------------
1    CPX-to-Win2k/XP_2                1        IPSEC        28800         YES
     YES  3DES        SHA             YES      NO           192.168.002.001/32
     YES              MD5                      NO           192.168.002.002/32
-------------------------------------------------------------------------------
2    Drop                             NONE     DROP         28800         NO
     NO   DES         SHA             NO       NO           000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------
IKE PSK table (both anonymous client will share the same PSK): 
[21:30:19] CPX:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** ANONYMOUS

Win2k/XP 1, 2.

Set IP filter properties:

Figure 13. Win2k/XP transport IP filter.

Set IPSec settings:

Figures 14, 15. Win2k/XP IPsec settings: ESP (3DES, SHA-1) + AH (MD5), PFS is enabled.


IKE mode. Tunnel (gateway-to-gateway).   top

Figure 16. gateway-to-gateway layout.

CPX can begin to negotiate IPsec connection.

CPX.

IKE host connections table: 
[21:30:22] CPX:d ike host

-------------------------------------------------------------------------------
HOST: NAME:                            LOC-IP:              IPP:    KEY-TRIES:
      CIPHER:   AUTH: HASH: DH:        REM-IP:              SIDE:   LIFE-TIME:
      ID-TYPE:        IP:              FQDN:
      PEER-ID-TYPE:   PEER-IP:         PEER-FQDN:
-------------------------------------------------------------------------------
0     CPX-to-Win2k/XP                  083.149.000.035      1       3
      3DES      PSK   MD5   MODP1024   213.206.129.060      AUTO    3600
      IP              083.149.000.035
      IP              213.206.129.060
-------------------------------------------------------------------------------
IKE client connections table: 
[21:30:58] CPX:d ike cli

-------------------------------------------------------------------------------
CLI: NAME:                            HOST-ID: RULE:        LIFE-TIME:    PFS:
     ESP: ESP-CIPHER: ESP-AUTH:       PASSIVE: PERMANENT:   NET-SRC:
     AH:              AH-AUTH:                 TUNNEL:      NET-DST:
-------------------------------------------------------------------------------
0    CPX-to-Win2k/XP                  0        IPSEC        28800         YES
     YES  DES         MD5             NO       NO           192.168.001.000/24
     NO               MD5                      YES          192.168.003.000/24
-------------------------------------------------------------------------------
1    Drop                             NONE     DROP         28800         YES
     NO   DES         SHA             NO       NO           000.000.000.000/0
     NO               MD5                      NO           000.000.000.000/0
-------------------------------------------------------------------------------
IKE PSK table: 
[21:30:19] CPX:d ike psk

-------------------------------------------------------------------------------
PSK: KEY:     ID-TYPE:  IP:             FQDN:
-------------------------------------------------------------------------------
0    ******** IP        213.206.129.060

Win2k/XP.

For tunnel mode you should add two IP filter records (inbound and outbound): For each filter records set tunnel settings (tunnel's endpoints):

"outbound" policy:



"inbound" policy:

Figure 17, 18. Win2k/XP tunnel settings: tunnels.

For each filter records set IP filter properties:

"outbound" policy:



"inbound" policy:

Figure 19, 20. Win2k/XP tunnel IP filters.


print this page