Home / server / Questions / 126537
Accepted
Tie-fighter
Asked: 2010-03-27 01:33:13 +0800 CST

Is it possible to use Microsoft's "Secure Connection Rules" (IPSec) with VPN?

  • 772

Is it possible to use Microsoft's "Secure Connection Rules" to authenticate/encrypt connections while using VPN at the same time?
What are the configurations necessary?

It should look like this:

Client A <-- VPN --> VPN Gateway <-- LAN --> Client B
  FTPd   <------------- IPSec ------------->   FTP

(I know there are other ways to secure FTP, I just use it for testing)

Thanks

Update 1:

To clarify the objectives:

  1. Traffic in the LAN should be authenticated and have integrity, but should not be encrypted (because of the IDS)
  2. Traffic passing the internet or other strange networks should have confidentiality
vpn windows-7 ipsec

3 Answers

  1. IPSec policies are applied based on source/destination addresses, so they should just not care about where the traffic is actually flowing; so, yes, applying them to computers whose communications happens via a VPN should work.

    But why would you need such a thing, when you can encrypt the VPN itself?

    Edit:

    In order for IPSec to work, some traffic needs to flow between the involved machines:

    • UDP port 500
    • UDP port 88 (if you're using Kerberos authentication)
    • IP protocols 50 and 51

    More info here.

    I don't know if this can be achieved through a VPN... the low-level IP protocols look very much like a possible problem here.

    • 1
  2. Best Answer

    Yes, it is possible to use nested VPNs. This is actually less uncommon than you think in higher security environments.

    Please see below for the more common use in higher security environments

    1 Host A --------Router/FW ---IPSEC GRE -------------- Router/FW ------ Host B
2 Host A ----IPSEC in Tunnel Mode ------------------------------------- Host B
3 Host A -- Secure protocol, take your pick, ssh, etc ----------------- Host B
4 Host A -- Cleartext / Insecure protocol ----------------------------- Host B

    Layers 3 doesn't get you that much extra but it is a possibility!

    In the DoD, it is not uncommon to see

    1 Host A --------Router/FW1 ---IPSEC GRE----------------- Router/FW10 ------ Host B
1 Host A --------Router/FW2 ---IPSEC GRE----------------- Router/FW9 ------- Host B
1 Host A --------Router/FW3 ----IPSEC GRE---------------- Router/FW8 ------- Host B
2 Host A ----IPSEC in Tunnel Mode ------------------------------------------ Host B
3 Host A -- Secure protocol, take your pick, ssh, etc ---------------------- Host B

    Notes on your objectives:
    1) Encryption does not mean unreadable to an IDS. Using preshared secrets or a certificate will enable the IDS to eavesdrop for a performance hit.
    2) You can have network authentication via 802.1x
    3) You'll want to use AH for visibility to an IDS, if you cannot share secrets/certs
    4) Use ESP for confidentiality
    5) Host-based IDS on local and distant host can alleviate need for sharing secerts/certs
    6) NIST 800-77 Guide to IPSEC VPNs is a good free publication on this subject.

    If you are so concerned about the value of the information, maybe you should step up from IPSEC to something more secure like HAIPE, and start looking at type 1 encryptors? :)

    • 0

  3. Here's a possible why: you are subject to PCI compliance and you have a cardholder data environment within your business LAN. So while supporting from home or the road, you VPN to the business LAN, but you cannot allow easy connection into the CDE for administration. You require two-factor authentication and obviously don't want unauthorized personnel (namely, almost everyone in the business LAN) to be able to go into the CDE.

    • -1