RE: How to enable ESP Null Encryption on ISA 2004
- From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 Dec 2005 21:44:37 +0100
Hi Stefaan,
It can be done but not through the GUI ;-)
The key is the netsh command
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/c3ae0d03-f18f-40ac-ad33-c0d443d5ed90.mspx). Here is an example.
In my lab I have an ISA server with a S2S VPN network called
"RemoteSite#44".
Use the command 'netsh ipsec dynamic show qmpolicy all' to find the QM
Policy belonging to this S2S VPN connection. The result was:
--- Begin ---
C:\>netsh ipsec dynamic show qmpolicy all
QM Negotiation Policy Name : L2TP Optional Encryption Quick Mode Policy
Security Methods Lifetime (Kb:secs) PFS DH Group
------------------------- --------------------- ------------
ESP[3DES,MD5] 250000:3600 <Unassigned>
ESP[3DES,SHA1] 250000:3600 <Unassigned>
AH[SHA1]+ ESP[3DES,NONE] 250000:3600 <Unassigned>
AH[MD5] + ESP[3DES,NONE] 250000:3600 <Unassigned>
AH[SHA1]+ ESP[3DES,SHA1] 250000:3600 <Unassigned>
AH[MD5] + ESP[3DES,MD5] 250000:3600 <Unassigned>
ESP[ DES,MD5] 250000:3600 <Unassigned>
ESP[ DES,SHA1] 250000:3600 <Unassigned>
AH[SHA1]+ ESP[ DES,NONE] 250000:3600 <Unassigned>
AH[MD5] + ESP[ DES,NONE] 250000:3600 <Unassigned>
AH[SHA1]+ ESP[ DES,SHA1] 250000:3600 <Unassigned>
AH[MD5] + ESP[ DES,MD5] 250000:3600 <Unassigned>
ESP[NONE,SHA1] 250000:3600 <Unassigned>
ESP[NONE,MD5] 250000:3600 <Unassigned>
AH[SHA1] 250000:3600 <Unassigned>
AH[MD5] 250000:3600 <Unassigned>
QM Negotiation Policy Name : ISA Server RemoteSite#44 QM Policy
Security Methods Lifetime (Kb:secs) PFS DH Group
------------------------- --------------------- ------------
ESP[3DES,SHA1] 0:3600 Medium (2)
--- End ---
To change the encryption algorithm to Null, use the command:
netsh ipsec dynamic set qmpolicy name="ISA Server RemoteSite#44 QM Policy"
qmsecmethods=ESP[None,SHA1]
To verify the change, use the command:
netsh ipsec dynamic show qmpolicy name="ISA Server RemoteSite#44 QM
Policy"
The result should be:
--- Begin ---
QM Negotiation Policy Name : ISA Server RemoteSite#44 QM Policy
Security Methods Lifetime (Kb:secs) PFS DH Group
------------------------- --------------------- ------------
ESP[NONE,SHA1] 0:0 Medium (2)
--- End ---
I tried it and was able to look inside the IPSec tunnel with the Network
Monitor tool :-)))
HTH,
Stefaan
MVP ISA Server
http://www.isaserver.org/Stefaan_Pouseele/
-----Original Message-----
From: Stefaan Pouseele [mailto:Stefaan.Pouseele@xxxxxxx]
Sent: maandag 26 december 2005 13:36
To: [ISAserver.org Discussion List]
Subject: [isalist] How to enable ESP Null Encryption on ISA 2004
http://www.ISAserver.org
Hi,
In many documents on
http://www.microsoft.com/isaserver/techinfo/guidance/2004/vpn.mspx I
read:
--- Begin ---
Network Captures of IPSec in Tunnel Mode:
This section briefly describes how IPSec works in tunnel mode. For a diagram
of the network topology, see Figure 4 later in this document.
In this example, traffic is transmitted from the client on the Astaro
Security Linux system Internal network, traverses the IPSec tunnel mode
policy, and is then received on the ISA Server network. When using
Encapsulating Security Payload (ESP), traffic is typically encrypted using
Data Encryption Standard (DES) or Triple DES (3DES) and authenticated with
SHA1 or MD5. However, you can specify to use Null
(no) Encryption so that the packets can be seen. An IPSec tunnel mode policy
with Encryption is configured initially, and then Null Encryption is
specified, so that the packet structure with ESP can be seen as it traverses
the network.
--- End ---
It would indeed be very nice if we could enable Null Encryption in order to
see what is happening inside the IPSec tunnel. However, I never found a
document explaining how to do that on ISA 2004 when configuring a
site-to-site VPN connection. Does anybody have any clue how to enable that?
Thanks,
Stefaan
Other related posts:
