Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Journal Journal: Windows XP IPsec Configuration

Steps to turn on optional IPsec on a Windows XP computer

This is a form of Optional Encryption (OE). Optional in Windows is defined as: Attempt an IPsec connection, if it is unsuccessful then use plaintext. This seems mostly the case in practice, although I have seen some oddities where drive mapping and such were ornery. As usual the more people who run IPsec the more of your traffic will run secure over the internet.

Perform the following to enable IPsec:

Start>run: mmc

File>Add/remove snapin>Add> Certificates > My User Account > Finish

> Certificates > Computer Account > Local Computer > Finish

> IP Security Monitor> Add

> IP Security Policy Management > Local Computer > Finish

> Close > Ok

Browse to IP Security Policies on Local Computer, right click on "Server (Request Security)" and choose Assign.

Optional IPsec is now enabled using Kerberos.

Kerberos only works correctly in an Active Directory environment, so we need to modify the default configuration to enable IPsec communications with arbitrary internet hosts.

There are three types of authentication which Windows IPsec can use: Kerberos (default), x.509 certificates, and preshared key (PSK). PSK is ok, but it requires sharing the key with all hosts with which IPsec communications are desired. It won't "Just Work" with strangers (because they won't have the key).

Kerberos works well inside a LAN where a KDC/Active Directory is configured. It should also work if the Kerberos server is internet accessible.

X.509 certificate authentication seems to be the best choice overall. You can either create your own CA and certs using OpenSSL or the like or you can get a currently existing CA to issue a cert. The best choice is to use a certificate from a universally recognized CA. The CA with the widest distribution of certificates produces the greatest opportunity for IPsec communications, which is what we want for OE. It is also possible to use multiple CA's and certificates, but this appears to increase the setup time for non-IPsec connections.

There are many places one the web which detail how to create your own CA and certs.

There are several CAs from which you can obtain a free cert:

A common CA from which to obtain a free personal cert is Thawte. They have what they call a Freemail cert. You give them your email address and you can obtain a cert from them. The benefit is that the root Freemail CA certificate is already installed in Windows XP. It is possible to use one cert for many computers, although this is not recommended. A compromise on one machine could provide the attacker with the ability to authenticate as any of the shared certificate machines. It could also cause problems if the same cert is used for secure e-mail communications. It appears to be difficult to access the remote authentication certificate from within Windows XP. However, if you are concerned about anonymity then create an anonymous cert or use a shared cert.

Thawte does not guarantee the identity of the holders of their Freemail personal certs, only that the supplied e-mail address is valid. These certs can be used in an anonymous method or you can participate in their "Web of Trust". This acts similar to a PGP web of trust, in which you get two individuals to verify your identity before your name will be listed on your Freemail cert. Generally the goal of Opportunistic Encryption is not identity authentication of the traffic, but to secure traffic from prying eyes and to ensure that traffic was not tampered with during transit. It is somewhat like an SSL connection with a web merchant. Your browser doesn't certify that you are a specific person, only that that traffic between the web merchant and you (and you are a stranger to it) is secure and has not been tampered with during transit.

So sign up for the Thawte Personal Email Certificate:

Then download your new cert into a browser like Firefox. This will also import the cert into your personal certificate store.

Go back to the mmc console, browse to "Certificates - Current User" > Personal > Certificates. Copy the "Thawte Freemail Member" cert. Browse to "Certificates (Local Computer)" > Personal and paste the certificate.

Now we have to authorize the CA for use for IPsec. In the Personal > Certificates area, one of the fields is "Issued By". This is the CA that has signed this certificate, indicating its validity. Windows uses permissions set on the entire CA chain to determine what certificates can be used for, so we need to enable IPsec on the entire root CA chain.

Browse to Certificate (Local Computer) > Third-Party Root Certification Authorites>Certificates. Choose "Thawte Personal Freemail CA", right click and choose Properties. Tick "Enable only the following purposes:" At a minimum select IP Security End System, IP Security Tunnel Termination, IP Security User, and IP Security IKE Intermediate. Client Authentication and Secure Email can also be enabled if desired.

Next, browse to Certificate (Local Computer) > Intermediate Certification Authorities. Choose "Thawte Personal Freemail Issuing CA", right click and choose Properties. In this case, just tick "Enable all purposes for this certificate." This is fine as the purposes are controlled by "Thawte Personal Freemail CA", which has signed this certificate.

Lastly, browse to Certificate (Local Computer) > Personal > Certificates. Choose "Thawte Freemail Member", right click and choose Properties. Tick "Enable all purposes for this certificate."

Now that the certificates are configured, we can add the new CA to the list of accepted CAs for IPsec:

Browse to IP Security Policies on Local Computer > Server (Request Security), right click and choose properties. Double click on "All IP Traffic", choose the Authentication Methods tab > Add > Use a certificate from this certification authority (CA). Choose the Thwate Personal Freemail CA (there are several Thwate CAs listed) and click Ok.

If you are not in an Active Directory domain, highlight Kerberos and delete it as an authentication method. Rearrange the authentication Methods in the order you want them to be.

Now go back to Server (Request Security) > Properties and now choose <Dynamic> > Edit and add the CAs just like you did above.

Now you will accept IPsec connections from everyone who offers a cert from a CA which you have listed in your Authentication Methods. You also probably need to check to make sure your router is setup to pass IPsec traffic.

To monitor IPsec connections go to the mmc console, IP Security Monitor>(Machine Name)>Quick Mode>Security Associations. When you have an IPsec connection it should show up as 3DES (or DES) under ESP Confidential.

So in conclusion the basic steps to Windows XP IPsec OE are to:

  1. turn on IPsec option via mmc
  2. Create a cert (and import it into a browser)
  3. Make the cert available to the Windows computer account
  4. Add IPsec to the purpose of the CA
  5. Add this CA to the list of IPsec CAs

L2TP/NAT-T for Windows XP

Microsoft has added NAT traversal support to IPSec in various service packs. For Windows XP SP2, this has to be explicitly enabled. This Microsoft Knowledge Base article explains how to do so.

Wireless Networking

Journal Journal: Thibor12 HyperWRT

I've rebuilt my home network using Thibor's HyperWRT release, Thibor12, available at

This is the best firmware release for Linksys routers I've used so far, very fast and stable.

I'm running WDS+WPA-PSK between Linksys routers and a Belkin F5D7230-4 router with no problems.

Wireless Networking

Journal Journal: Thibor HyperWRT 2.1b-201105 performance

I have just done some performance testing with this firmware running on Linksys WRT54GS v.3 hardware. I did discover that WDS mode at a minimum requires that you enter the master router MAC address into the remote router. Anyway, here are the results:

AP <-> WET
  • Rate: 2.75 MB/sec
  • Rate: 2.75 MB/sec
  • with afterburner_override=1 Rate: 2.55 MB/s

MB = 1,000,000 bytes

This testing was done by monitoring the maximum data rate while tranfering a file in one direction across the link. I was somewhat surprised at the results with afterburner_override enabled, which is supposed to enable afterburner mode when using WDS. I'm curious to see if this is typical.

Wireless Networking

Journal Journal: WRT54GS v.3 3rd party firmware compatibility

CronScript has recently purchased two Linksys WRT54GS v.3 routers which were running the Linksys 4.70.6 firmware.

Sveasoft Alchemy V1.0 firmware bricked the router. Don't try it! It is not compatible with the GS v.3 hardware. Shorting pins 5 and 6 on the flash booted the unit into failsafe mode and allowed a tftp firmware upload.

FreemanBasic V1.0.4 gave me upgrade failed errors.

DD-WRT v22, all versions, gave me upgrade failed errors. DD-WRT v23 should work on this router, but read the wiki before attempting to use it as you have to pick the correct firmware edition.

The Thibor release of HyperWRT 201105 did flash to the router and seems to work well. Supposedly, after flashing HyperWRT, the router will allow flashing Freeman and DD-WRT but I haven't tried this yet. Apparently, the bootloader shipped with the Linksys 4.70.6 firmware checks version numbers on the incoming firmware and refuses to do a downgrade.

Slashdot Top Deals

You can observe a lot just by watching. -- Yogi Berra