IPsec questions and answers

Discussion in 'other firewalls' started by Sully, Dec 8, 2008.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I know there are a few threads out regarding IPsec. I have an interest in it lately, and wonder if there are any here who have delved deeply into using ipseccmd.exe with xp sp2. Both Dynamic and Static scripting. Specifically, how you went about developing methods to apply different policies and how you managed them.

    Sul.
     
  2. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I will post as much info here as I can. I am currently deep into the ipsec usage especially with the scripting tool ipseccmd.exe that xp uses. My goal is to either augment windows firewall or just in general learn how to use something built into the OS.

    I am almost complete with the first step, which is to understand how to use ipseccmd to structure some rules. Ipsec is basically a dumb packet filter, but what I have read that it resides at kernel level. I have seen snippets that state this method has much less overhead than normal firewalls. I don't have the knowledge to say much in that regard.

    It is interesting the approach one takes with ipsec. It is exact opposite of a normal 3rd party firewall. Instead of everything blocked unless told otherwise, by default ipsec let's everything through. While windows firewall does an ok job at simply blocking inbound requests, everyone knows there is no outbound control whatsoever. Ipsec does allow this, in the same way a firewall such as AS3 or SoftPerfect would. There are no methods to capture what application is requesting a connection (in or out), so you just allow or block ports.

    What makes this interesting is that using the ipseccmd tool, one can make 'STATIC' rules, which go into a database of sorts and are, well, static. And then you can make 'DYNAMIC' rules, which are more of a session rule. Reboot or restart the service (policyagent for those that use the tool sc), and those session rules are gone. Even a simple command of ipseccmd.exe -u rids all of the session rules in a snap.

    How it lays out the rules is fairly typical of a firewall, only backwards. You start a 'POLICY', and give it a sort of 'master rule', which is basically block everything. Then you start your exceptions. You poke a hole here or there depending on your needs. I am most curious to see how using dynamic rules will work in day to day use. It would be nothing to create a batch file for a certain program that opens some ports, and these openings could be only present when one wished to start that app. And they could be gone with a simple command or when you reboot.

    Obviously the need to have holes open for your normal traffic in day to day use is really essential, or you could find it cumbersome. But for certain apps that you only want holes open at certain times, it seems a clever way. Even to the point of having a service running that has an open port, and your router is port forwarding to your box for that service. With some slieght of hand and a little batch script, you could leave everything in the router in place, leave the service running, and just open a temporary hole when you need it.

    More to come for anyone who has been looking for some concepts on how to use ipsec. There are many resources available, but most are very techincal and require some time to digest. Maybe this will be a quick place to find some quick and simple answers.

    Sul.
     
  3. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Here is a start. A small tray icon for windows firewall and ipsec. With it you can enable or disable the firewall, show the firewall control panel. Also are 3 'rulesets'; Allow All traffic, Allow LAN only traffic and Block all traffic. These are dynamic ipsec policies, meaning they are gone with a reboot or entering the command ipseccmd.exe -u.

    In order to use this you must:

    1. download this http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en

    2. extract this update. Then inside this extract support.cab. Inside support.cab is the file ipseccmd.exe. This must be placed in a path. Copy it to windows or windows\system32.

    3. The IPSec service must be running. You can use the run box -> services.msc or you can from command prompt use
    sc config policyagent start= auto
    sc start policyagent

    That should be it. As long as the ipseccmd.exe is in windows or windows\system32 and the ipsec service is running, all should work.

    Here is a registry edit that you can run after you have enabled the IPsec service. It gets rid of all the default policies/rules. To interface with IPsec you can use secpol.msc or gpedit.msc. You can reset everything to default if needed in that interface.

    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
    And here is the link for the little tool I made
    http://www.filesend.net/download.php?f=ebbb1efc015af7543d661ff8d85d373e

    Sul.
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    8,013
    I remember being interested in IPSEC many years back when I was running Win2k and thinking I might use that instead of a firewall. I did a bit of experimenting with it, not much, but then dropped it, as it seemed fairly primitive compared to other rule based firewalls available. There weren't many options beyond simple port rules. For example, I don't remember being able to set up port ranges. Similarly with IPs and so on. It's interesting, but so much easier to just use something like Kerio 2 or Jetico nowadays.
     
  5. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Yes I would agree with you. Up till now I have not been interested in it at all. In looking at different methods to allow my kids online access, ipsec has offered some ease of use at a core level. And I do find it interesting that there are so many things I have done in the past, that had I taken the time to study ipsec a little, I would have used it. So yeah, I hear what you are saying. But after looking at countless pages and articles, I wanted to both get other's insights as well as hopefully have a good thread that others might find valuable info in.

    Thanks for the reply.

    Sul.
     
  6. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Since I started out by creating a tool to help me issue a few dynamic ipsec rules and manage the windows firewall, I thought I might just as well finish that up a bit.

    Here is a link to what I'll call version 1.0.0.1 lol

    http://www.filesend.net/download.php?f=8f5e6c4ae076e55aabe52eb12900d775

    This should allow those who use windows firewall a few nice shortcuts right from the tray. Not the most elegant tool ever, but it does what it needs to.

    Features:
    1. enable/disable firewall
    2. start/stop the firewall service
    3. start firewall.cpl
    4. enable/disable both log events
    5. delete contents of pfirewall.log
    6. changing tray icon depending on firewall state
    7. 3 basic ipsec rulesets
    8. start/stop ipsec service
    9. small helpfile with basic explanations
    10. super simple install/uninstall method lol, you will like this one

    Meh, give it a try if you use windows firewall. I have found it to be very useful already.

    More to come on how to implement some basic ipsec stuff.

    Sul.
     
  7. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Some further playing. I use Hamachi to transfer files between buddies, especially new tools I make or scripts. We also play some LAN games with it. I decided to see if I could use IPsec to only allow Hamachi traffic and block everything else.

    Hamachi makes a virtual network adapter, so it was a fun test. And it works. Using a few IPsec commands, Hamachi traffic is allowed and my normal NIC ip is blocked. Here is an example of what a scripted dynamic rule looks like.

    Code:
    :: first get rid of any dynamic rules in place
    ipseccmd -u
    :: block all ports
    ipseccmd -f [0=*:*:*]
    :: open DNS, could restrict to only your ISP dns server
    ipseccmd -f (0=*:53:UDP)
    :: allow traffic from your virtual hamachi adapter
    ipseccmd -f (5.124.121.*:*=*:*:*)
    :: allow needed port for hamachi, for you virtual adapter only
    ipseccmd -f (5.0.0.*:67=5.124.121.*:68:UDP)
    :: allow connection to hamachi servers
    ipseccmd -f (0=74.201.74.*:*:*)
    :: allow needed broadcasts
    ipseccmd -f (0=239.255.255.*:*:UDP)
    
    getting rid of this is simple: ipseccmd.exe -u

    More rules need to be implemented for each Hamachi IP that you wish to communicate with.

    Maybe not really useful, but for sake of learning, it is nice to know that IPsec does work with a virtual adapter. I assume the same would be applicable to something like a vmWare network adapter too, although I have not tried yet.

    MrWoo.
     
  8. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Is anyone out there good with REG_BINARY values? Umm, anyone understand Little Endian structured hexadecimal? lol, anyone know how to read a tech sheet on the structure of a binary string, and interperet what is being said. I found the techs on exactly what the reg key I need to parse is supposed to be, but Little Endian is seriously throwing me here. I know it is reverse of Big Endian or even Unicode/UTF, but there seems to be some ambiguity in this.

    Currently I have some WMI objects to return most vals to me via a script. I am working on how the ipseccmd.exe show filters output can relate to the ipsecFilters\ipsecData REG_BINARY key value. This output is needed to get the specifics of current STATIC rules/filters. Without it, parsing and matching reg values will be impossible.

    Right now I can enable/disable a policy, and enable/disable each rule in the policy. However, without a properly working parse of the ipsecData key, I have no way to properly match it up. Unfortunately, the ipseccmd filters are non-specific, with only a GUID starting with text2pol{GUID}.

    Does anyone know if there is a way to get the netsh commands from server 2k3 to work in xp pro? In server 2k3 netsh has an ipsec parameter. This would be the way to go over ipseccmd without a doubt.

    Refining of rules seems easy to do. It is the implementation, and especially the leaving of the snap-in that I am most interested in. That mmc absolutely blows. I will make one that works and is easy to use. It all hinges on deciphering what the docs are telling me about this regkey.

    Most detailed account of a reg key I have ever seen, to be sure.

    Sul.
     
  9. horseman

    horseman Registered Member

    Joined:
    Apr 11, 2004
    Posts:
    128
    Location:
    Hove - UK
    Well in my old System 370 mainframe days I always broke my eggs at the big end... now a days it seems I have to learn to break either end depending on what I'm doing... :doubt:
     
  10. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    So, I have been making a tool to manage different ipSec polices and rules, as I cannot stand the snap-in that MS gives for doing this. Here is a small batch file that uses ipseccmd.exe to put in place some polices. Note that ipseccmd.exe MUST be in a path somewhere (ie. c:\, c:\windows, c:\windows\system32)

    Code:
    @echo off
    cls
    
    :: Make a simple policy to just allow everything
    ipseccmd -w REG -p "Allow All Traffic" -r "Allow All" -f 0:*:*+*:*:* -n PASS
    
    :: Make a simple policy to block everything
    ipseccmd -w REG -p "Block All" -r "Block All" -f *:*:*+*:*:* -n BLOCK
    
    :: Make a simple policy to allow ONLY LAN activity
    ipseccmd -w REG -p "LAN Only" -r "Block All" -f *:*:*+*:*:* -n BLOCK
    ipseccmd -w REG -p "LAN Only" -r "Allow LAN" -f 0:*:*+192.168.1.*:*:* -n PASS
    
    :: Make a more complicated policy that encompasses all normal communications needed for daily use
    :: note the DNS rule would need your DNS servers IF you know them
    ipseccmd -w REG -p "Firewall" -r "Block All" -f *:*:*+*:*:* -n BLOCK
    ipseccmd -w REG -p "Firewall" -r "Allow LAN" -f 0:*:*+192.168.1.*:*:* -n PASS
    ipseccmd -w REG -p "Firewall" -r "DNS" -f 0:*:UDP+223.211.190.23:53:UDP 0:*:UDP+223.211.190.24:53:UDP 0:*:TCP+223.211.190.23:53:TCP 0:*:TCP+223.211.190.24:53:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "POP3" -f 0:*:TCP+*:110:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "POP3S" -f 0:*:TCP+*:995:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "FTP Control" -f 0:*:TCP+*:21:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "FTP Data" -f 0:*:TCP+*:20:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "IMAP" -f 0:*:TCP+*:143:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "HTTP" -f 0:*:TCP+*:80:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "HTTPS" -f 0:*:TCP+*:443:TCP -n PASS
    ipseccmd -w REG -p "Firewall" -r "PROXY" -f 0:*:TCP+*:8080:TCP 0:*:TCP+*:3128:TCP 0:*:TCP+*:8081:*:TCP 0:*:TCP+*:8000:TCP -n PASS
    If you were to run this .bat file, these policies would be made, but none of them would be assigned. You must have the ipsec service running to do this of course.

    Here is a link to a beta program I am making for easy access to these polices/rules. If you already have some ipSec rules in place, you might want to export your current registry values before playing. It has cause no errors yet, but I certainly would not want to create problems for anyone if it did.

    Here is a link to the beta app.
    http://www.filesend.net/download.php?f=0d3dac2b6c77086d2eb0b5ce3ce03e01

    More to come. Learning a little more about the ipseccmd, about the trouble with pulling out the values for each rule from the REG_BINARY keys. Thinking of adding more features to the program so one can create a batch file easier. Been using ipSec on a few computers more and more as a base defense prior to windows firewall. So far, it seems fast and once I understand why and how it does or does not perform, just gets better.

    Sul.
     
  11. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    Hello there, this is my first post here...
    (sorry for my bad english)

    - i was just searching the web - i am making a personal firewall using IPSEC... and some tools i ve made at visual basic...

    so if you can help me will be great..

    i want to block a local ip (example 192.168.168.4)
    I believe that the command is the following:
    Code:
    ipseccmd.exe -f 0:*:*+192.168.168.4:*:* -n BLOCK
    
    but i want the "Ping" port be opened - how it will be - i thought that the port was 0 or 8... but none of the following command worked:
    Code:
    ipseccmd.exe -f 0:*:*+192.168.168.4:*:8 -n PASS
    
    plus if it is possible to give the right use of command:
    i think.. is
    Code:
    ipseccmd -f (myip, 0 is that if use * what means?):(my ports):(remote ips):(remote ports):(protocol) -n (PASS or BLOCK)
    Thanks in advance... :)
     
  12. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    I ve just realized that ping has not port assigned...

    i ve just blocked udp and tcp

    thanks again
     
  13. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Code:
    ipseccmd.exe -f 0:*:*+192.168.168.4:*:udp -n BLOCK
    ipseccmd.exe -f 0:*:*+192.168.168.4:*:tcp -n BLOCK
    These will close tcp and udp ports between yourself and .4. If this is the only rule, it will work.

    You could use this snippet to open up all local communication to that subnet on all ports. Of course you could also just apply .4 instead of .* this would allow other ipsec rules to stay in place while still allowing all activity to .4

    Code:
    :: Make a simple policy to allow ONLY LAN activity
    ipseccmd -f *:*:*+*:*:* -n BLOCK
    ipseccmd -f 0:*:*+192.168.1.*:*:* -n PASS
    Remember, ping is of type ICMP. It has not ports to define, only types (like 0 or 8 ). Here is a rule for pinging, but not file sharing. File sharing (netbios) would be opened only for ports 137 & 138 udp, 139 tcp.
    Code:
    ipseccmd -f 0:*:ICMP+192.168.1.4:*:ICMP -n PASS
    Let me know if you got more questons.

    Sul.
     
  14. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    @Sully thank you... for the tips

    now i am searching a way to control bandwidth (from cmd line) of ips connected to my pc... is that possible ?

    I ve found in Windows Resource kit a utility named tcmon (that uses tccom and QOS)... i ve found too the tcmonlite (a small software that says working at cmd line but i can't make it work - taking error)...

    I am trying too, to find API reference for Visual Basic 6 (that i am very familiar) but no api or sample for TC API (tccom service)... to create my own utility for that traffice management... or if i could find a third part free cmd line tool managing the bandwidth for ips...

    (That all ofcourse helps if all client pc routed through my pc [2 nics] - that thing i can do it if Windows Xp Enabled like IPRouter through registry) - This i ve made it well!

    Anyone know something ?
     
  15. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    I am not completely sure of this, but you might look at some registry values. TCPIP or NETBT have many values, and even more undocumented that are available from Mr Google. I have messed with these countless times, trying to achieve fast gigabit speeds. I know that often I have wondered if some of these settings might not limit bandwidth.

    As a definate method on a local network you could set the nic to 10mb only. Even forcing to half-duplex will sometimes slow things down, depending on hardware. If your focus is for internet, I am not sure. It is usually so far under even 10mb.

    Yes, I would poke around and see what could be set from within the registry. Even examining driver .inf files for different cards can produce some values that can be used that you often do not see. I have a .inf to .reg converter I made if you need it. Never tried it on driver .inf files, too many different sections. But you never know.

    Good luck. Sounds very ineresting.

    Sul.
     
  16. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    @Sully

    my problem is not internet bandwidth - but i want to make more complicated connections with my server-pc/clients... For example i want 192.168.168.2 have 8mbps and 1mbps upload or 192.168.168.3 have 90Mbps and 10Mbps... something like bandwidth manager / netlimiter software or bandwidth controller that selling at internet software stores...

    But all these i want to make my self or with a help of lightweight utility... i don't think registry can help... :-( or i don't know the way..

    any other idea - or solution found yet ?
     
  17. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    I've found this:

    WinTC

    This make the job i am telling... but it seems unstable... and don't know exactly how to use it... But is a start ...
     
  18. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    Can someone tell me the difference at filtering '+' and '=' ...
    and explain me with a sample the difference.

    If I set Preshared String in a range (192.168.168.*) can i have exception for IPs that haven't preshared key to look all that have (preshared) at 80 port ?
     
  19. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    + is meaning both directions, = is meaning one direction.

    src=dest

    me:port=isp:53 (this says allow me out to remote address port 53)

    src+dst

    me:port+isp:53 (this says, allow me out to remote address port 53, and also perform reverse rule, allow from remote address port 53 to me any port)



    Something like a rule which says to block or allow 168.* And you want exception for IPs that have no preshared key? I don't quite follow, as 168.* pretty much wraps your subnet in one rule.

    Preshare String? Please restate this for me.

    Sul.
     
  20. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    Well as you know (i hope that ;-) ) with ipsec you can set a Preshare string key (like wep) so all data in LAN will encrypted - so all computers must run this ipsec policy with preshared key!

    example:
    So i have two lans one private and one public (internet cafe customers) - i want the private using the preshared key (this i am doing it well) but i want one pc from can have access (PASS without encryption - setting an exception at private pcs that this IP will pass)

    the command (it works ok - tested for a network 192.168.0.0/255.255.0.0:
    and i want if the PC 192.168.0.10 has no running the above command to pass at the private PCS (running the command) using a PASS (ipsec command)

    is it possible ?
     
  21. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Hmm. I have largely studied ipsec for it's filtering capabilities, not for encryptions. I will check it out, I am interested now. I might be able to use it in a scenario such as yours.

    Sul.
     
  22. cyberd

    cyberd Registered Member

    Joined:
    Feb 9, 2009
    Posts:
    9
    Location:
    GREECE
    @sully
    ok i ll be waiting for an answer too.. if you find anything - but after a lot of searching i ve understand why microsoft didn't proudly present that options... because they haven't really advance options :-(

    but you may find something...
     
  23. Loki

    Loki Registered Member

    Joined:
    May 26, 2002
    Posts:
    193
    Location:
    Lake Worth, Florida, USA
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.