Steps to turn on optional IPsec on a Windows XP computer
This is a form of Optional Encryption (OE). Optional in Windows is defined as: Attempt an IPsec connection, if it is unsuccessful then use plaintext. This seems mostly the case in practice, although I have seen some oddities where drive mapping and such were ornery. As usual the more people who run IPsec the more of your traffic will run secure over the internet.
Perform the following to enable IPsec:
File>Add/remove snapin>Add> Certificates > My User Account > Finish
> Certificates > Computer Account > Local Computer > Finish
> IP Security Monitor> Add
> IP Security Policy Management > Local Computer > Finish
> Close > Ok
Browse to IP Security Policies on Local Computer, right click on "Server (Request Security)" and choose Assign.
Optional IPsec is now enabled using Kerberos.
Kerberos only works correctly in an Active Directory environment, so we need to modify the default configuration to enable IPsec communications with arbitrary internet hosts.
There are three types of authentication which Windows IPsec can use: Kerberos (default), x.509 certificates, and preshared key (PSK). PSK is ok, but it requires sharing the key with all hosts with which IPsec communications are desired. It won't "Just Work" with strangers (because they won't have the key).
Kerberos works well inside a LAN where a KDC/Active Directory is configured. It should also work if the Kerberos server is internet accessible.
X.509 certificate authentication seems to be the best choice overall. You can either create your own CA and certs using OpenSSL or the like or you can get a currently existing CA to issue a cert. The best choice is to use a certificate from a universally recognized CA. The CA with the widest distribution of certificates produces the greatest opportunity for IPsec communications, which is what we want for OE. It is also possible to use multiple CA's and certificates, but this appears to increase the setup time for non-IPsec connections.
There are many places one the web which detail how to create your own CA and certs.
There are several CAs from which you can obtain a free cert:
A common CA from which to obtain a free personal cert is Thawte. They have what they call a Freemail cert. You give them your email address and you can obtain a cert from them. The benefit is that the root Freemail CA certificate is already installed in Windows XP. It is possible to use one cert for many computers, although this is not recommended. A compromise on one machine could provide the attacker with the ability to authenticate as any of the shared certificate machines. It could also cause problems if the same cert is used for secure e-mail communications. It appears to be difficult to access the remote authentication certificate from within Windows XP. However, if you are concerned about anonymity then create an anonymous cert or use a shared cert.
Thawte does not guarantee the identity of the holders of their Freemail personal certs, only that the supplied e-mail address is valid. These certs can be used in an anonymous method or you can participate in their "Web of Trust". This acts similar to a PGP web of trust, in which you get two individuals to verify your identity before your name will be listed on your Freemail cert. Generally the goal of Opportunistic Encryption is not identity authentication of the traffic, but to secure traffic from prying eyes and to ensure that traffic was not tampered with during transit. It is somewhat like an SSL connection with a web merchant. Your browser doesn't certify that you are a specific person, only that that traffic between the web merchant and you (and you are a stranger to it) is secure and has not been tampered with during transit.
So sign up for the Thawte Personal Email Certificate:
Then download your new cert into a browser like Firefox. This will also import the cert into your personal certificate store.
Go back to the mmc console, browse to "Certificates - Current User" > Personal > Certificates. Copy the "Thawte Freemail Member" cert. Browse to "Certificates (Local Computer)" > Personal and paste the certificate.
Now we have to authorize the CA for use for IPsec. In the Personal > Certificates area, one of the fields is "Issued By". This is the CA that has signed this certificate, indicating its validity. Windows uses permissions set on the entire CA chain to determine what certificates can be used for, so we need to enable IPsec on the entire root CA chain.
Browse to Certificate (Local Computer) > Third-Party Root Certification Authorites>Certificates. Choose "Thawte Personal Freemail CA", right click and choose Properties. Tick "Enable only the following purposes:" At a minimum select IP Security End System, IP Security Tunnel Termination, IP Security User, and IP Security IKE Intermediate. Client Authentication and Secure Email can also be enabled if desired.
Next, browse to Certificate (Local Computer) > Intermediate Certification Authorities. Choose "Thawte Personal Freemail Issuing CA", right click and choose Properties. In this case, just tick "Enable all purposes for this certificate." This is fine as the purposes are controlled by "Thawte Personal Freemail CA", which has signed this certificate.
Lastly, browse to Certificate (Local Computer) > Personal > Certificates. Choose "Thawte Freemail Member", right click and choose Properties. Tick "Enable all purposes for this certificate."
Now that the certificates are configured, we can add the new CA to the list of accepted CAs for IPsec:
Browse to IP Security Policies on Local Computer > Server (Request Security), right click and choose properties. Double click on "All IP Traffic", choose the Authentication Methods tab > Add > Use a certificate from this certification authority (CA). Choose the Thwate Personal Freemail CA (there are several Thwate CAs listed) and click Ok.
If you are not in an Active Directory domain, highlight Kerberos and delete it as an authentication method. Rearrange the authentication Methods in the order you want them to be.
Now go back to Server (Request Security) > Properties and now choose <Dynamic> > Edit and add the CAs just like you did above.
Now you will accept IPsec connections from everyone who offers a cert from a CA which you have listed in your Authentication Methods. You also probably need to check to make sure your router is setup to pass IPsec traffic.
To monitor IPsec connections go to the mmc console, IP Security Monitor>(Machine Name)>Quick Mode>Security Associations. When you have an IPsec connection it should show up as 3DES (or DES) under ESP Confidential.
So in conclusion the basic steps to Windows XP IPsec OE are to:
- turn on IPsec option via mmc
- Create a cert (and import it into a browser)
- Make the cert available to the Windows computer account
- Add IPsec to the purpose of the CA
- Add this CA to the list of IPsec CAs
L2TP/NAT-T for Windows XP
Microsoft has added NAT traversal support to IPSec in various service packs. For Windows XP SP2, this has to be explicitly enabled. This Microsoft Knowledge Base article explains how to do so.