Article ID: 265112 - View products that this article applies to.
This article was previously published under Q265112
This article describes IP Protocol Security (IPsec) and its implementation in Windows 2000 and in Windows Server 2003. It also discusses IPsec and Layer 2 Tunneling Protocol (L2TP) interoperation with third-party products.
Description of IPsecIPsec is designed to encrypt data as it travels between two computers, protecting the data from modification and interpretation. IPsec is a key line of defense against internal, private network, and external attacks. Although most network security strategies have focused on preventing attacks from outside an organization's network, a great deal of sensitive information can be lost by internal attacks that interpret data on the network. Most data is not protected when it travels across the network, so employees, supporting staff members, or visitors may be able to plug into your network and copy data for later analysis. They can also mount network-level attacks against other computers. Firewalls offer no protection against such internal threats, so using IPsec offers significantly greater security for corporate data.
IPsec is a Security service that gives administrators the ability to monitor traffic, examine addresses, and apply various security methods to the IP data packet regardless of which program generates the data.
Using IP filtering, IPsec examines all IP packets for addresses, ports, and transport protocols. Rules contained in local or group policies tell IPsec to ignore or secure specific packets, depending on addressing and protocol information.
IPsec implementation in Windows 2000 and in Windows Server 2003IPsec and Internet Key Exchange (IKE) is only included in Windows 2000 and in Windows Server 2003. These operating systems adhere to the IPsec RFC suite (2401+) as much as a first release can--there are still some aspects of the RFCs that have not been implemented. It is tightly integrated with many other aspects of these operating systems, such as the TCP/IP stack, device Plug and Play, certificate services and cryptographic modules (CAPIv2) and to some extent, Group Policy for the delivery of directory-based IPsec policy.
Only L2TP uses IPsec by default to secure the UDP 1701 IP packets that are the tunnel. IPsec is not included in Microsoft Windows 98. IPsec and related services in Windows 2000 and in Windows Server 2003 were jointly developed by Microsoft and Cisco Systems, Inc. The L2TP implementation itself was performed by Microsoft and integrated with IPsec after Beta 2.
Interaction of components
IP security methodsIP Security methods are applied to an IP packet by the IPsec driver. There are two security methods that can be used, either separately or in unison. The two methods are:
IPsec policy configurationYou can use Microsoft Management Console (MMC) can be used to increase the protection of Unicast IP traffic by using a configuration 'policy' that is built on the client and server or router. You can configure this policy either locally (by using the IP Security Policies on Local Machine snap-in) or in Active Directory (by using the IP Security Policies on Active Directory tool). When you apply the policy, IPsec uses packet filters to determine which traffic to secure, block, or permit. When it secures traffic, IKE is used to negotiate security settings and perform cryptographic key exchanges, and IPsec SA establishment and automatic rekeys. IPsec functions as transparently as possible to layers above IP.
If the IPsec policy specifies it, IKE can use the Windows Kerberos 5 security protocol for computer authentication to avoid the requirement for certificate deployment. The Windows 2000 and Windows Server 2003 implementation is according to Derrell Piper's draft (as described later in this article). Kerberos is not used for IPsec keying, only for IKE main-mode computer authentication. No Kerberos extensions are used in the ticket because it is not a user or service ticket--it is a computer ticket--so it should work when you configure either operating system for MIT-compatibility mode of Kerberos 5 with other computers that are members of Kerberos 5 realms. For additional information, see the following Web sites:
http://www.ietf.org/Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
IPsec API and policyThe Windows 2000 and Windows Server 2003 IPsec APIs and policy schema have not been published yet. IPsec and IKE identity-protect mode (main mode and quick mode) do not lend themselves to program-based, connection-oriented APIs. IPsec is not intended as a replacement for the SSL/TLS connection-oriented methods normally used to secure Web communications.
The Windows 2000 and Windows Server 2003 definition of 'policy' is a set of IPsec-specific settings that can be delivered to and then applied to the host. 'Policy' implies static settings/data that have not been evaluated on the enforcement point of the end-computer that receives these settings. The typical IPsec deployment is for a domain administrator to configure an IPsec policy in Active Directory as needed for clients, servers, and other special-purpose computers, and then assign it and deliver it by using the Group Policy system. You can also fully configure the IPsec policy .
Microsoft intends to change the policy storage formats in future releases of Windows. Therefore, the Windows IPsec directory policy and local registry storage formats are considered a Microsoft private, unpublished data structure.
You can still batch script IPsec policy creation. Ipsecpol.exe is a command-line tool in the Microsoft Windows 2000 Resource Kit that you can use to script policy construction (documentation is included with the tool). In the Support Tools folder on the CD-ROM, you can use the netdiag.exe /test:ipsec /v /debug command to see the details of the IPsec policy, filtering, and so on (if you are logged on with the same privileges as the user who assigned the policy).
For a future release (not necessarily the next release), Microsoft is working on APIs that allow API clients to plumb filters and offers to the engine. Microsoft will make APIs available after a detailed third-party vendor design review. Policy-management solutions will be able to design their own policy formats and then plumb them to the IPsec system by using the APIs.
Work is being done on a proposal for an IPsec policy model/schema as a first draft of what an administrative policy-oriented API might support. However, vendors and interested customers would need to review this draft substantially to see if the model would work. For additional information, see the following Web site:
http://www.ietf.org/proceedings/01aug/slides/ipsp-3/Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
IPsec interoperationFor virtual private network (VPN) scenarios, Microsoft recommends IPsec tunnels only for gateway-to-gateway scenarios in which L2TP/IPsec will not work, and for end-to-gateway scenarios (not VPN remote access clients, because it is an RFC-compatible tunnel implementation, and so does not support IKECFG or XAUTH) where each point has a static IP address and therefore static IPsec rules with filters to enable the tunnel. For more information about configuring IPSec tunneling in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:
252735Although technically you can configure policy filters to provide IPsec tunnels for protocols and ports (because the policy configuration tool is very general), these type of tunnels are not supported by Microsoft. IPsec interoperability is not clearly defined. Some vendors have decided to run their own program. Both of the following Web sites are conducting interoperability testing programs:
(http://support.microsoft.com/kb/252735/ )How to configure IPsec tunneling in Windows 2000
http://www.vpnc.orgWindows 2000 and Windows Server 2003 have not been submitted to either of these yet. Customer demand and review of the interoperation criteria used in these testing programs versus how they want to use IPsec will determine whether Microsoft will apply for certification in these programs.
Suggested interoperability levels
L2TP/IPsec interoperationWindows 2000 and Windows Server 2003 are compliant with RFC 2661 ("Layer Two Tunneling Protocol"). RFC 2661 indicates that L2TP traffic can be secured with IPsec, but does not provide details about how to implement this security. An Internet-draft document is currently being worked on that will specify the details of securing L2TP traffic with IPsec. Internet-draft documents are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups.
Because the protection of L2TP traffic with IPsec is not yet a standard (there is no RFC for it), the interoperation of these Windows operating systems using L2TP/IPsec must be tested.
Use the following basic information about the protection of L2TP traffic using IPsec in Windows 2000 and Windows Server 2003 as guidance when you are testing with third-party vendors:
http://support.microsoft.comIt is common for some vendors to claim interoperation with Windows 2000 and Windows Server 2003, even if Microsoft may not have had a chance to verify it with that vendor.
SecurityMicrosoft has taken a number of steps to ensure the quality of the design and implementation, which has included internal and external (private) design and code reviews. Microsoft will continue to provide documentation and guidance for customers on proper use. As with any security tool, it is important that users read the online Help and Resource Kit documentation to understand IPsec and its usage thoroughly. IPsec and IKE are implemented to IETF RFC standards, but they are still new technology in the industry which means they will come under heavy scrutiny and attack by malicious users.
Microsoft recommends the following actions to maintain a secure environment:
Microsoft points of contactFor media inquiries, contact Waggener Edstrom at 425-637-9097. Identify that you are inquiring about IPsec and network security. They will be able to contact the appropriate product management and technical resources to help you.
For IPsec as a technology in the Windows platform, please send an e-mail message to firstname.lastname@example.org.
Microsoft customers with support agreements have access to Windows 2000 Support Professionals who have been working with the product team over the course of the Windows 2000 beta cycle. Customers who already deploy or will deploy Windows 2000 or Windows Server 2003 IPsec for end-to-end or end-to-router scenarios should contact their Microsoft Support Representative directly. For information about Microsoft Support options, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;CNTACTMSMicrosoft needs customer and vendor feedback to improve the functionality in the platform. We would like to know who is using it and how, and what your experience is. To that end, it is most helpful if customers escalate issues through the support channel. If you are an IPsec vendor and have a specific implementation or interoperation question, see our walkthrough and Microsoft Knowledge Base articles for how to turn on debugging. After investigation, send an e-mail message to the alias on the interoperation test site, explain who you are, what is happening, and so on.
The online Help (in both Windows 2000 Professional and Server) contains the same content for IPsec, but it is represented differently in the table of contents. The online Help is also available at the following Microsoft Web site:
http://technet.microsoft.com/en-us/windowsserver/2000/bb735359.aspxThe Windows 2000 Server Resource Kit is oriented to network and server administrators who are new to IPsec. For information about the Windows 2000 Resource Kit, see the following Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/default.mspxDetailed procedures for using IPsec to protect traffic end-to-end as well as more information about the implementation is available at the following Microsoft Web site:
http://www.microsoft.com/downloads/details.aspx?familyid=501a48d5-a3ee-4094-aeb4-16bbff098810The Windows 2000 Networking newsgroup is available at microsoft.public.win2000.networking. For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/257225/ )IPsec troubleshooting in Microsoft Windows 2000 Server
(http://support.microsoft.com/kb/259335/ )Basic L2TP/IPSec troubleshooting in Windows 2000
248750For information about Windows 2000-based virtual private network and supporting VPN interoperability, see the following Microsoft Web site:
(http://support.microsoft.com/kb/248750/ )Description of the IPSec policy created for L2TP/IPSec
Article ID: 265112 - Last Review: February 3, 2011 - Revision: 11.7