IPSec policy

[alice]

Archived from groups: microsoft.public.win2000.security (More info?)

I need to create an IPSec policy to allow a W2kPro domain
computer to communicate securely with a non-domain
W2kServer. It must communicate normally with all other
domain computers.
I have created a policy within AD U&C for the Pro computer
and I have created an identical local policy on the non-
domain server. Both are assigned. When I ping the server
from the pro station, the ping is normal and I have no
activity in the IPSec Monitor on either the DC or the non-
domain server. What am I missing?

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Alice,

I am not sure what is your IPSec configuration but by default ping (ICMP) is
not in default IPSec policy. Only IP protocol is. Try some other protocol.

What is your method of authentication between DCs and non domain computers?

Mike

"Alice" <anonymous@discussions.microsoft.com> wrote in message
news:158001c47be0$569a4ca0$a301280a@phx.gbl...
> I need to create an IPSec policy to allow a W2kPro domain
> computer to communicate securely with a non-domain
> W2kServer. It must communicate normally with all other
> domain computers.
> I have created a policy within AD U&C for the Pro computer
> and I have created an identical local policy on the non-
> domain server. Both are assigned. When I ping the server
> from the pro station, the ping is normal and I have no
> activity in the IPSec Monitor on either the DC or the non-
> domain server. What am I missing?

 

[alice]

Archived from groups: microsoft.public.win2000.security (More info?)

Thanks for the response Mike,

The non-domain computer has no knowledge of any domain
resources except via IP.

For testing I am using a shared key.

I changed the protocol from TCP to Any and the ping test
worked, plus I saw activity in IPSec Monitor.

I also ran Netdiag /test:ipsec on both machines and they
are pulling the policy.

Is there anything else I can do to prove the policies are
working correctly?

Thanks!

>-----Original Message-----
>Hi Alice,
>
>I am not sure what is your IPSec configuration but by
default ping (ICMP) is
>not in default IPSec policy. Only IP protocol is. Try
some other protocol.
>
>What is your method of authentication between DCs and non
domain computers?
>
>Mike
>
>"Alice" <anonymous@discussions.microsoft.com> wrote in
message
>news:158001c47be0$569a4ca0$a301280a@phx.gbl...
>> I need to create an IPSec policy to allow a W2kPro
domain
>> computer to communicate securely with a non-domain
>> W2kServer. It must communicate normally with all other
>> domain computers.
>> I have created a policy within AD U&C for the Pro
computer
>> and I have created an identical local policy on the non-
>> domain server. Both are assigned. When I ping the
server
>> from the pro station, the ping is normal and I have no
>> activity in the IPSec Monitor on either the DC or the
non-
>> domain server. What am I missing?
>
>
>.
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Alice,

Only other thing you can do to "prove" is to sniff the traffic...

My advice, use certificates for authentication. If this is not possible use
very long ... shared key (pass phrase)...

Mike

"Alice" <anonymous@discussions.microsoft.com> wrote in message
news:165401c47bee$0a45dc80$a301280a@phx.gbl...
> Thanks for the response Mike,
>
> The non-domain computer has no knowledge of any domain
> resources except via IP.
>
> For testing I am using a shared key.
>
> I changed the protocol from TCP to Any and the ping test
> worked, plus I saw activity in IPSec Monitor.
>
> I also ran Netdiag /test:ipsec on both machines and they
> are pulling the policy.
>
> Is there anything else I can do to prove the policies are
> working correctly?
>
> Thanks!
>
> >-----Original Message-----
> >Hi Alice,
> >
> >I am not sure what is your IPSec configuration but by
> default ping (ICMP) is
> >not in default IPSec policy. Only IP protocol is. Try
> some other protocol.
> >
> >What is your method of authentication between DCs and non
> domain computers?
> >
> >Mike
> >
> >"Alice" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:158001c47be0$569a4ca0$a301280a@phx.gbl...
> >> I need to create an IPSec policy to allow a W2kPro
> domain
> >> computer to communicate securely with a non-domain
> >> W2kServer. It must communicate normally with all other
> >> domain computers.
> >> I have created a policy within AD U&C for the Pro
> computer
> >> and I have created an identical local policy on the non-
> >> domain server. Both are assigned. When I ping the
> server
> >> from the pro station, the ping is normal and I have no
> >> activity in the IPSec Monitor on either the DC or the
> non-
> >> domain server. What am I missing?
> >
> >
> >.
> >