info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Problem with IPSEC
1 view
Skip to first unread message
Greg O
Jul 17, 2006, 10:53:52 AM7/17/06
to
Hi,
I use IPSEC to control internet access on a domain. I block port 80 for
browsers and ports 8080 and 3128 for most internet proxies. I also
block all UDP since most internet games will run on UDP even with all
TCP blocked. I want to allow individual web sites into the domain
though. In IPSEC there is a setting for a particular domain, if you try
it with say nytimes.com it looks up DNS and makes filters with each of
the IP addresses listed there. IPSEC I think is supposed to work so
that more specific filters (like allowing a web site) override more
general filters (like blocking port 80. So allowing the IP addresses of
nytimes.com should make it work, but it is still filtered by IPSEC. I
know that's the problem because if I list the port 80 block the
nytimes.com site starts working. Is this a big in IPSEC? Also is there
another way to do this without IPSEC, I see that network adaptor
filters and RRAS filters don't seem to have the settings for this.
I use IPSEC to control internet access on a domain. I block port 80 for
browsers and ports 8080 and 3128 for most internet proxies. I also
block all UDP since most internet games will run on UDP even with all
TCP blocked. I want to allow individual web sites into the domain
though. In IPSEC there is a setting for a particular domain, if you try
it with say nytimes.com it looks up DNS and makes filters with each of
the IP addresses listed there. IPSEC I think is supposed to work so
that more specific filters (like allowing a web site) override more
general filters (like blocking port 80. So allowing the IP addresses of
nytimes.com should make it work, but it is still filtered by IPSEC. I
know that's the problem because if I list the port 80 block the
nytimes.com site starts working. Is this a big in IPSEC? Also is there
another way to do this without IPSEC, I see that network adaptor
filters and RRAS filters don't seem to have the settings for this.
Steven L Umbach
Jul 17, 2006, 1:02:54 PM7/17/06
to
No it is not a bug in ipsec. Many websites, especially the larger volume
websites use multiple websites links/IP addresses. What you want to do may
work if you are trying to allow a simple website that uses a singe or a
couple IP address. You can see what I mean if you use something like
Ethereal while connecting connect to a website. Also when you enter a DNS
name it will resolve to the IP addresses it currently finds to create the
filter. However I have seen many large websites then seem to use dozens of
IP addresses for their main website that seem to change frequently time you
access them. You can sometimes see this when use nslookup to resolve a
domain name and try it a couple of times. A better solution would be to use
something like ISA 2004 to restrict access though that is not a trivial
investment in software/licenses and configuration time. Otherwise try using
a packet sniffer like Ethereal to see if you can track down all necessary
IPs needed to allow the website to work though again that will not work if
the website starts resolving to different IPs not included in the filter
list. TDImon fee from SysInternals can also give you an idea of IPs and
ports/protocols the operating system accesses when connecting to a website
and it does not need to be installed as an application.
websites use multiple websites links/IP addresses. What you want to do may
work if you are trying to allow a simple website that uses a singe or a
couple IP address. You can see what I mean if you use something like
Ethereal while connecting connect to a website. Also when you enter a DNS
name it will resolve to the IP addresses it currently finds to create the
filter. However I have seen many large websites then seem to use dozens of
IP addresses for their main website that seem to change frequently time you
access them. You can sometimes see this when use nslookup to resolve a
domain name and try it a couple of times. A better solution would be to use
something like ISA 2004 to restrict access though that is not a trivial
investment in software/licenses and configuration time. Otherwise try using
a packet sniffer like Ethereal to see if you can track down all necessary
IPs needed to allow the website to work though again that will not work if
the website starts resolving to different IPs not included in the filter
list. TDImon fee from SysInternals can also give you an idea of IPs and
ports/protocols the operating system accesses when connecting to a website
and it does not need to be installed as an application.
Steve
"Greg O" <greg...@gmail.com> wrote in message
news:1153148032.4...@m73g2000cwd.googlegroups.com...
Greg O
Jul 17, 2006, 10:12:06 PM7/17/06
to
Hi Steve,
The IP addresses IPSEC sets up are correct. I can check that by
using those addresses directly in the address bar of the browser, e.g.
instead of www.nytimes.com I put the IP address IPSEC added to the
allow filter and the page opens. So the IP addresses IPSEC find (it
does a DNS search for them) are sufficient to open the web pages. Also
it is necessary to allow DNS servers in IPSEC so you can put
"www.nytimes.com" in the address bar and the DNS server will return the
IP address for it. This part works, the DNS server of my ISP returns an
IP address in the IPSEC allow list, but still it doesn't allow the
packets through for the IP address itself.
The feature in IPSEC is very useful if it works because people can
give a list of web sites they want to visit, and no other web sites are
allowed. So this list of web sites might be added to group policy and
this is quite secure if those sites are safe. The allow function works
well for internal use. For example I can use a filter to block all TCP
and UDP traffic, and then allow all TCP traffic from a first subnet to
a second subnet (both internal). This works, and the traffic in the
internal subnets is allowed, and outside those subnets is completely
blocked. But if I do the same thing, allow all traffic from a first
internal subnet to an external IP address (even allowing all ports from
that address) IPSEC doesn't allow it. I'm only using RRAS for a
firewall and if I turn off the IPSEC blocking of all TCP the internet
all works.
The IP addresses IPSEC sets up are correct. I can check that by
using those addresses directly in the address bar of the browser, e.g.
instead of www.nytimes.com I put the IP address IPSEC added to the
allow filter and the page opens. So the IP addresses IPSEC find (it
does a DNS search for them) are sufficient to open the web pages. Also
it is necessary to allow DNS servers in IPSEC so you can put
"www.nytimes.com" in the address bar and the DNS server will return the
IP address for it. This part works, the DNS server of my ISP returns an
IP address in the IPSEC allow list, but still it doesn't allow the
packets through for the IP address itself.
The feature in IPSEC is very useful if it works because people can
give a list of web sites they want to visit, and no other web sites are
allowed. So this list of web sites might be added to group policy and
this is quite secure if those sites are safe. The allow function works
well for internal use. For example I can use a filter to block all TCP
and UDP traffic, and then allow all TCP traffic from a first subnet to
a second subnet (both internal). This works, and the traffic in the
internal subnets is allowed, and outside those subnets is completely
blocked. But if I do the same thing, allow all traffic from a first
internal subnet to an external IP address (even allowing all ports from
that address) IPSEC doesn't allow it. I'm only using RRAS for a
firewall and if I turn off the IPSEC blocking of all TCP the internet
all works.
Steven L Umbach
Jul 17, 2006, 10:51:15 PM7/17/06
to
Are you sure that when a user enters nytimes in their address bar that it is
resolving to an IP address in the allow list? What you could do on a client
computer is run ipconfig /displaydns to see if the IP address shown for
nytimes is in the allow list or try using TDImon from Sysinternals to view
the IP traffic in real time looking for port 80 outbound traffic. Another
thing I would try is to create a hosts file on a client computer with the IP
address or addresses for nytimes to see if that works or not which would
insure only the IPs in the hosts file are used. To answer an earlier
question, yes ipsec filters are weighted such that a specific rule overrides
a general rule. Unfortunately I don't believe you can enable logging for
ipsec in XP like you can for Windows 2003 to see events for dropped traffic.
I tend to think the problem is that an IP address not on the allow list is
being used sometimes.
resolving to an IP address in the allow list? What you could do on a client
computer is run ipconfig /displaydns to see if the IP address shown for
nytimes is in the allow list or try using TDImon from Sysinternals to view
the IP traffic in real time looking for port 80 outbound traffic. Another
thing I would try is to create a hosts file on a client computer with the IP
address or addresses for nytimes to see if that works or not which would
insure only the IPs in the hosts file are used. To answer an earlier
question, yes ipsec filters are weighted such that a specific rule overrides
a general rule. Unfortunately I don't believe you can enable logging for
ipsec in XP like you can for Windows 2003 to see events for dropped traffic.
I tend to think the problem is that an IP address not on the allow list is
being used sometimes.
Steve
"Greg O" <greg...@gmail.com> wrote in message
news:1153188726.7...@s13g2000cwa.googlegroups.com...
Greg O
Jul 18, 2006, 4:21:12 AM7/18/06
to
BTW nytimes.com is just an example, there are other web sites I want to
allow as well. The problem is not a DNS one because I can do the
following:
1. Make a rule in IPSEC for a domain nytimes.com. That queries DNS and
automatically creates 4 rules with specific IP addresses e.g.
199.239.136.200 (I think from memory) and adds these into IPSEC. So now
I have a policy that is the general block all TCP traffic, and a
specific one that says allow these 4 IP addresses to the particular
subnet. If I put any of these 4 IP addresses into the browser (instead
of www.nytimes.com) then DNS is bypassed since it is the IP address I
am using. I try it and can't get the web site. If I delete the rule
that blocks all TCP traffic I get the web site. If I unassign the
policy I get the web site. So the only variable here is whether I have
the rule blocking all TCP traffic, DNS is not being used. Of course the
DNS issue is another problem, if I get the IP addresses connecting I
can at least use them in favourites for a workaround.
I have tried other web sites too and couldn't connect with the IPSEC
policy on with any of them.
Steven L Umbach
Jul 18, 2006, 11:43:14 PM7/18/06
to
I am a bit confused. I though before you said you could access the website
by putting the IP address in the address bar but now you are saying you can
not? It is not unusual not to be able to access a website by entering the IP
address in the address bar. If you have a Windows 2003 Server that you can
use for testing you might want to try that because then you can use netsh to
enable auditing of dropped traffic for ipsec that can help in
troubleshooting ipsec rules. You also may want to try using your ipsec rule
to see if you can access a simple web server on your network. 69.94.43.76
is an IP that I can use in the address bar to access a website. Just to
verify your ipsec rules for http should be a default rule to block all for
source:my IP, destination:any IP, source port:any, destination port:80,
protocol:TCP, and filter action block. Then for the exceptions source:my
IP, destination:allowed website IP, source port:any, destination port:80,
protocol:TCP, and filter action permit. The link below on ipsec rule
weighting may be of help.
by putting the IP address in the address bar but now you are saying you can
not? It is not unusual not to be able to access a website by entering the IP
address in the address bar. If you have a Windows 2003 Server that you can
use for testing you might want to try that because then you can use netsh to
enable auditing of dropped traffic for ipsec that can help in
troubleshooting ipsec rules. You also may want to try using your ipsec rule
to see if you can access a simple web server on your network. 69.94.43.76
is an IP that I can use in the address bar to access a website. Just to
verify your ipsec rules for http should be a default rule to block all for
source:my IP, destination:any IP, source port:any, destination port:80,
protocol:TCP, and filter action block. Then for the exceptions source:my
IP, destination:allowed website IP, source port:any, destination port:80,
protocol:TCP, and filter action permit. The link below on ipsec rule
weighting may be of help.
Steve
http://www.microsoft.com/technet/community/columns/cableguy/cg0205.mspx
"Greg O" <greg...@gmail.com> wrote in message
news:1153210871.9...@b28g2000cwb.googlegroups.com...
Greg O
Jul 19, 2006, 9:30:40 AM7/19/06
to
I can isolate the problem to being with IPSEC as follows.
1. Turn off IPSEC. Browser loads the same page with www.nytimes.com and
199.239.236.200.
2. Turn on IPSEC which has a general rule blocking all TCP traffic to a
subnet with a low weighting and a more specific rule permitting TCP
traffic to and from 199.239.236.200 and the same subnet with a higher
weighting. You can't allow traffic in IPSEC to a domain name, it just
makes up a list of filters to the IP addresses recorded in DNS for that
name. You can permit DNS queries though in IPSEC. When IPSEC is turned
on www.nytimes.com and 199.239.236.200 both don't connect. Therefore
IPSEC is blocking access to this web site.
3. In IPSEC delete the general rule blocking all TCP traffic to the
subnet. Then www.nytimes.com and 199.239.236.200 both connect again.
Therefore the general rule in IPSEC even though it has a lower
weighting (I checked this already in IP Security Monitor) is still
overriding the permit rule for 199.239.236.200. I tried varying the
specific rule to different IP addresses, and nothing helped. I tried
making the specific rule more general, so any traffic to or from
199.239.236.200 to anywhere is permitted and it was still blocked. I
tried any traffic to or from 199.239.236.200 on port 80 to a specific
subnet, but that didn't work.
As far as I can tell I am not doing anything wrong. There are only a
few settings so it is hard to make a mistake.
Here's what I think is happening. If I block all traffic with a
general rule and then permit some with a specific rule on the internal
LAN then that works. If the specific rule is for connecting to the
Internet then it doesn't work. So it seems for some reason IPSEC won't
do this for the Internet but it will on an internal network. BTW this
is with 2003 server standard with all patches up to date. I first
noticed this problem a few months ago and put it aside thinking I was
making a mistake somewhere.
The simplest way is to try it yourself. Use say a local security
policy on the gateway server, this is what I do. Block all TCP even all
traffic to a particular subnet from the gateway server. Then try and
make a specific rule to connect to the internet from that subnet.
Thanks for all the help, but I am thinking that for some reason IPSEC
just can't do this.
1. Turn off IPSEC. Browser loads the same page with www.nytimes.com and
199.239.236.200.
2. Turn on IPSEC which has a general rule blocking all TCP traffic to a
subnet with a low weighting and a more specific rule permitting TCP
traffic to and from 199.239.236.200 and the same subnet with a higher
weighting. You can't allow traffic in IPSEC to a domain name, it just
makes up a list of filters to the IP addresses recorded in DNS for that
name. You can permit DNS queries though in IPSEC. When IPSEC is turned
on www.nytimes.com and 199.239.236.200 both don't connect. Therefore
IPSEC is blocking access to this web site.
3. In IPSEC delete the general rule blocking all TCP traffic to the
subnet. Then www.nytimes.com and 199.239.236.200 both connect again.
Therefore the general rule in IPSEC even though it has a lower
weighting (I checked this already in IP Security Monitor) is still
overriding the permit rule for 199.239.236.200. I tried varying the
specific rule to different IP addresses, and nothing helped. I tried
making the specific rule more general, so any traffic to or from
199.239.236.200 to anywhere is permitted and it was still blocked. I
tried any traffic to or from 199.239.236.200 on port 80 to a specific
subnet, but that didn't work.
As far as I can tell I am not doing anything wrong. There are only a
few settings so it is hard to make a mistake.
Here's what I think is happening. If I block all traffic with a
general rule and then permit some with a specific rule on the internal
LAN then that works. If the specific rule is for connecting to the
Internet then it doesn't work. So it seems for some reason IPSEC won't
do this for the Internet but it will on an internal network. BTW this
is with 2003 server standard with all patches up to date. I first
noticed this problem a few months ago and put it aside thinking I was
making a mistake somewhere.
The simplest way is to try it yourself. Use say a local security
policy on the gateway server, this is what I do. Block all TCP even all
traffic to a particular subnet from the gateway server. Then try and
make a specific rule to connect to the internet from that subnet.
Thanks for all the help, but I am thinking that for some reason IPSEC
just can't do this.
Greg O
Jul 19, 2006, 9:51:18 AM7/19/06
to
Steve,
I just tried the specific rule as follows. Allow all traffic to and
from your web site 69.94.43.76 to one computer on the subnet
192.168.1.56. I tried this for all traffic, for just permitting TCP,
and then for just permitting port 80. There was also the general rule
blocking all TCP traffic. The specific rule failed to override the
general rule.
Steven L Umbach
Jul 19, 2006, 2:48:22 PM7/19/06
to
It does sound like you are running into issues with rule weighting that are
contrary to what is believed to work. Have you tried using a default block
all IP rule and then add the allowed exceptions such as all traffic to your
local subnet [which should also allow DNS since you domain controllers do
DNS] and then port 80 TCP to the websites you want to access?
contrary to what is believed to work. Have you tried using a default block
all IP rule and then add the allowed exceptions such as all traffic to your
local subnet [which should also allow DNS since you domain controllers do
DNS] and then port 80 TCP to the websites you want to access?
Steve
"Greg O" <greg...@gmail.com> wrote in message
news:1153315840.4...@s13g2000cwa.googlegroups.com...
Greg O
Jul 20, 2006, 11:11:52 PM7/20/06
to
Yes, rules like this work on an internal subnet. For example to block
internet access I use a general block, then there are 3 internal
subnets. I permit all traffic from subnet 1 to subnet 2, subnet 2 to
subnet 3 and subnet 3 to subnet 1. If I then try to permit specific IP
addresses or even a subnet on the internet it doesn't work. So say for
nytimes.com I try to permit 199.0.0.0 to and from 192.168.0.0 (as 2
subnets but one internal and one external) it doesn't work. I wonder if
a recent patch caused this problem.
Steven L Umbach
Jul 22, 2006, 1:07:46 AM7/22/06
to
I have not used that many filter lists for subnets in an ipsec rule to see
how it works. It sounds like you are doing everything right but that the
weighting is not working as expected. It might be worthwhile to also posting
the ipsec newsgroup as often a member of the MS ipsec team will reply to
posts there.
how it works. It sounds like you are doing everything right but that the
weighting is not working as expected. It might be worthwhile to also posting
the ipsec newsgroup as often a member of the MS ipsec team will reply to
posts there.
Steve
"Greg O" <greg...@gmail.com> wrote in message
news:1153451512....@m79g2000cwm.googlegroups.com...
Greg O
Jul 22, 2006, 8:21:34 AM7/22/06
to
I couldn't find any newsgroup that had IPSEC in the name, I posted a
link to this thread to server.general. Do you have an URL for this
newsgroup?
link to this thread to server.general. Do you have an URL for this
newsgroup?
Steven L Umbach
Jul 22, 2006, 1:48:00 PM7/22/06
to
The newsgroup is Microsoft.public.windows.networking.ipsec. If your ISP does
not have it available create an account in your newsreader program [I use
Outlook Express] to use news.microsoft.com. That newsgroup is not very
active but I would still post there and check back periodically.
not have it available create an account in your newsreader program [I use
Outlook Express] to use news.microsoft.com. That newsgroup is not very
active but I would still post there and check back periodically.
Steve
"Greg O" <greg...@gmail.com> wrote in message
news:1153570894.7...@m73g2000cwd.googlegroups.com...
Greg O
Jul 30, 2006, 3:44:01 AM7/30/06
to
Hi Steven,
It looks like I found the answer on the IPSEC forum, and it is
impossible for rules to permit individual web sites (as I suspected).
The reason is if the server is running RRAS then NAT occurs before
IPSEC, and so IPSEC doesn't see the IP addresses of internal computers
on the network. Consequently it cannot filter the external traffic.
Steven L Umbach
Jul 30, 2006, 8:32:59 PM7/30/06
to
Thanks for the update Greg. By that way are you using ipsec policies on the
client computers or just on the RRAS server doing NAT?? My assumption was
that it was configured on the client computers themselves.
client computers or just on the RRAS server doing NAT?? My assumption was
that it was configured on the client computers themselves.
Steve
"Greg O" <greg...@gmail.com> wrote in message
news:1154245441....@m79g2000cwm.googlegroups.com...
Greg O
Jul 31, 2006, 2:54:06 AM7/31/06
to
I am just using a Local Security Policy on the RRAS server. I may have
to use a group policy on the client computers. Thanks for all the help
it was a very interesting problem.
Steven L Umbach
Jul 31, 2006, 8:55:55 PM7/31/06
to
I think you may have better luck doing that [keeping my fingers crossed]. In
that case the traffic you want to restrict will never leave the client
computer. Group Policy of course makes it easy to deploy ipsec to domain
client computers.
that case the traffic you want to restrict will never leave the client
computer. Group Policy of course makes it easy to deploy ipsec to domain
client computers.
Steve
"Greg O" <greg...@gmail.com> wrote in message
news:1154328846....@75g2000cwc.googlegroups.com...
Greg O
Aug 3, 2006, 10:13:22 AM8/3/06
to
ISA can also be used for this with URL sets. One creates a deny all
http rule for a particular subnet to external then a second rule
allowing certain web sites. I'm glad I worked out the IPSEC too though,
it's interesting to work with. I made some netsh scripts to turn
various policies on in IPSEC and activate them in task scheduler. For
example:
http rule for a particular subnet to external then a second rule
allowing certain web sites. I'm glad I worked out the IPSEC too though,
it's interesting to work with. I made some netsh scripts to turn
various policies on in IPSEC and activate them in task scheduler. For
example:
netsh ipsec static set policy name = policy_one assign = yes
0 new messages