Configuring Windows 2000/XP Ipsec for Site-to-Site VPN
Configuring Windows 2000/XP Ipsec for Site-to-Site VPN
Configuring Windows 2000/XP Ipsec for Site-to-Site VPN
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec<br />
<strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong><br />
November 2002<br />
Copyright © 2002 SofaWare Technologies Inc, All Rights Reserved. Reproduction, adaptation, or translation with prior written permission is<br />
prohibited except as allowed under copyright laws.
Introduction<br />
Introduction<br />
This document explains how <strong>to</strong> configure Microsoft <strong>Windows</strong> <strong>2000</strong>, <strong>Windows</strong> <strong>2000</strong> Server, and <strong>Windows</strong> <strong>XP</strong><br />
IPsec <strong>for</strong> the <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong> solutions.<br />
Figure 1 shows a sample implementation of this solution, in which a Safe@Office appliance is connected <strong>to</strong> a<br />
<strong>Windows</strong> machine in a <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>.<br />
Figure 1: Safe@Office <strong>to</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec (<strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>)<br />
Scenarios<br />
This document provides solutions <strong>for</strong> the following four scenarios:<br />
� <strong>Windows</strong> Gateway <strong>to</strong> Safe@Office in Unrestricted Mode<br />
Traffic is encrypted between the gateways’ subnets (Network A <strong>to</strong> Network B).<br />
� <strong>Windows</strong> Gateway <strong>to</strong> Safe@Office in Restricted Mode<br />
Traffic is encrypted between the network behind the <strong>Windows</strong> gateway and the Safe@Office WAN IP<br />
address (Network A <strong>to</strong> Safe@Office external IP).<br />
� <strong>Windows</strong> Host <strong>to</strong> Safe@Office in Unrestricted Mode<br />
Traffic is encrypted between the <strong>Windows</strong> host and the Safe@Office internal network (<strong>Windows</strong> machine <strong>to</strong><br />
Network B).<br />
� <strong>Windows</strong> Host <strong>to</strong> Safe@Office in Restricted Mode<br />
Traffic is encrypted between the <strong>Windows</strong> host and the Safe@Office WAN IP address (<strong>Windows</strong> machine <strong>to</strong><br />
Safe@Office external IP).<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 1
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
Note: For all the scenarios above, the configuration of the <strong>Windows</strong> machine is<br />
identical, except <strong>for</strong> the Filter Properties configuration. For further in<strong>for</strong>mation, see<br />
pages 11 and 16.<br />
Important: Both the Safe@ gateway and <strong>Windows</strong> machine must be configured with a<br />
static IP address. DHCP mode in the <strong>Windows</strong> machine may not work properly.<br />
Contacting Technical Support<br />
To contact technical support, send an email <strong>to</strong>: support@sofaware.com<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
Note: The screens shown below appear in both <strong>Windows</strong> <strong>2000</strong> and <strong>XP</strong>.<br />
Note: The IP addresses in Figure 1, page 1, appear in the screens below as an<br />
example.<br />
Important: Additional security software installed on the <strong>Windows</strong> machine, (<strong>for</strong><br />
example Check Point SecuRemote), may prevent the tunnel from working properly.<br />
To configure <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong><br />
1. Create an IP security policy by doing the following:<br />
a. Open the <strong>Windows</strong> Control Panel.<br />
b. In the Administrative Tools menu, click Local Security Policy.<br />
The Local Security Settings window opens.<br />
2 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
c. Double-click on IP Security Policies On Local Machine.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The IP security policies on the local machine are displayed in the right-hand pane.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 3
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
d. In the Action menu, click Create IP Security Policy.<br />
The IP Security Policy Wizard opens with the Welcome <strong>to</strong> the IP Security Policy wizard dialog box<br />
displayed.<br />
e. Click Next.<br />
The IP Security Policy Name dialog box appears.<br />
4 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
f. In the Name field, enter the policy’s name. In the example above, the policy’s name is “New_Policy”.<br />
g. Click Next.<br />
The Requests <strong>for</strong> Secure Communication dialog box appears.<br />
h. Clear the Activate the default response rule check box.<br />
i. Click Next.<br />
The Completing the IP Security Policy Wizard dialog box appears.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 5
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
j. Clear the Edit properties check box.<br />
k. Click Finish.<br />
The new policy appears in the Local Security Settings window.<br />
2. Double-click on the new policy.<br />
The Properties dialog box appears, with the Rules tab displayed.<br />
6 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
3. Clear the Use Add Wizard check box.<br />
4. Click Add….<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The New Rule Properties dialog box appears, with the IP Filter List tab displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 7
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
5. Create an A <strong>to</strong> B IP filter <strong>for</strong> the security policy, by doing the following:<br />
a. Click Add.…<br />
The IP Filter List dialog box appears.<br />
8 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
. In the Name field, type “A <strong>to</strong> B”.<br />
c. Clear the Use Add Wizard check box.<br />
d. Click Add.…<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The Filter Properties dialog box appears, with the Addressing tab displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 9
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
e. Select one of the following filters:<br />
10 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Windows</strong> Gateway <strong>to</strong> Safe@Office, Unrestricted Mode <strong>Windows</strong> Host <strong>to</strong> Safe@Office, Unrestricted Mode<br />
<strong>Windows</strong> Host <strong>to</strong> Safe@Office, Restricted Mode <strong>Windows</strong> Gateway <strong>to</strong> Safe@Office, Restricted Mode<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 11
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
f. Clear the Mirrored check box.<br />
g. Click on the Description tab.<br />
The Description tab is displayed.<br />
h. If desired, in the Description area, type a description of the filter.<br />
i. Click OK.<br />
The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter<br />
appears in the IP Filter Lists area.<br />
12 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
6. Create a B <strong>to</strong> A IP filter <strong>for</strong> the security policy, by doing the following:<br />
a. Click Add.…<br />
The IP Filter List dialog box appears.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 13
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
b. In the Name field, type “B <strong>to</strong> A”.<br />
c. Clear the Use Add Wizard check box.<br />
d. Click Add.…<br />
The Filter Properties dialog box appears, with the Addressing tab displayed.<br />
14 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
e. Select one of the following filters:<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 15
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Windows</strong> Gateway <strong>to</strong> Safe@Office, Unrestricted Mode <strong>Windows</strong> Host <strong>to</strong> Safe@Office, Unrestricted Mode<br />
<strong>Windows</strong> Host <strong>to</strong> Safe@Office, Restricted Mode <strong>Windows</strong> Gateway <strong>to</strong> Safe@Office, Restricted Mode<br />
16 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
f. Clear the Mirrored check box.<br />
g. Click on the Description tab.<br />
The Description tab is displayed.<br />
h. If desired, in the Description area, type a description of the filter.<br />
i. Click OK.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The New Rule Properties dialog box reappears, with the IP Filter List displayed. The new filter<br />
appears in the IP Filter Lists area.<br />
7. In the IP Filter Lists area, click A <strong>to</strong> B.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 17
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
8. Set the filter action <strong>for</strong> the A <strong>to</strong> B IP filter, by doing the following:<br />
a. Click the Filter Action tab.<br />
The Filter Action tab is displayed.<br />
18 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
. Clear the Use Add Wizard check box.<br />
c. Click Add….<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The New Filter Action Properties dialog box appears, with the Security Methods tab displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 19
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
Do the following:<br />
1) Click Negotiate Security.<br />
2) Clear the Accept unsecured communications, but always respond using IPsec check box.<br />
3) Clear the Allow unsecured communications with non IPsec-aware computer check box.<br />
4) Click Add….<br />
The New Security Method dialog box appears, with the Security Method tab displayed.<br />
20 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
d. Click Cus<strong>to</strong>m.<br />
e. Click Settings….<br />
The Cus<strong>to</strong>m Security Method Settings dialog box appears.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 21
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
Do the following:<br />
1) Clear the Data and address integrity without encryption (AH) check box.<br />
2) Select the Data integrity and encryption (ESP) check box.<br />
3) From the Integrity Algorithm drop-down list, select SHA1.<br />
4) From Encryption Algorithm drop-down list, select 3DES.<br />
5) In the Session Key Settings area, clear all check boxes.<br />
6) Click OK.<br />
The New Filter Action Properties dialog box reappears, with the Security Methods tab displayed.<br />
The new security method is listed in the Security Method preference order area.<br />
22 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
f. Click the General tab.<br />
The General tab is displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 23
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
g. In the Name field, type Encrypt.<br />
h. Click OK.<br />
The New Rule Properties dialog box reappears, with the Filter Action tab displayed. The Encrypt<br />
action is listed in the Filter Actions area.<br />
24 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
i. In the Filter Actions area, click Encrypt.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 25
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
j. Click the Authentication Methods tab.<br />
The Authentication Methods tab is displayed.<br />
26 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
k. Click Add….<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The New Authentication Method Properties dialog box appears, with the Authentication Method tab<br />
displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 27
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
Do the following:<br />
1) Click Use this string <strong>to</strong> protect the key exchange (preshared key).<br />
2) In the text box, type the preshared key.<br />
Note: Use this preshared key as the Preshared Secret password, when you create the tunnel<br />
from the Safe@ gateway <strong>to</strong> the <strong>Windows</strong> machine.<br />
3) Click OK.<br />
The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed.<br />
The new authentication method (“Preshared Key”) is listed in the Authentication Method<br />
preference order area.<br />
28 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
l. Select Kerberos.<br />
m. Click Remove.<br />
A confirmation message appears.<br />
n. Click Yes.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The Kerberos method is deleted from the Authentication Method preference order area.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 29
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
o. Click on the Tunnel Settings tab.<br />
The Tunnel Settings tab is displayed.<br />
30 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
p. Click The tunnel endpoint is specified by this IP Address.<br />
q. In the text box, type the Safe@ gateway’s IP address.<br />
r. Click on the Connection Type tab.<br />
The Connection Type tab is displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 31
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
s. Click All network connections.<br />
t. Click Close.<br />
32 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
9. Set the filter action <strong>for</strong> the B <strong>to</strong> A IP filter, by doing the following:<br />
a. Click Add….<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The New Rule Properties dialog box appears, with the IP Filter List tab displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 33
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
b. In the IP Filter Lists area, click B <strong>to</strong> A.<br />
34 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
c. Click the Filter Action tab.<br />
The Filter Action tab is displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 35
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
d. In the Filter Actions area, click Encrypt.<br />
36 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
e. Click the Authentication Methods tab.<br />
The Authentication Methods tab is displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 37
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
f. Click Add….<br />
The New Authentication Method Properties dialog box appears, with the Authentication Method tab<br />
displayed.<br />
38 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
Do the following:<br />
1) Click Use this string <strong>to</strong> protect the key exchange (preshared key).<br />
2) In the text box, type the preshared key.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
Note: Use this preshared key as the Preshared Secret password, when you create the tunnel<br />
from the Safe@ gateway <strong>to</strong> the <strong>Windows</strong> machine.<br />
3) Click OK.<br />
The New Rule Properties dialog box reappears, with the Authentication Methods tab displayed.<br />
The new authentication method (“Preshared Key”) is listed in the Authentication Method<br />
preference order area.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 39
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
g. Select Kerberos.<br />
h. Click Remove.<br />
A confirmation message appears.<br />
i. Click Yes.<br />
The Kerberos method is deleted from the Authentication Method preference order area.<br />
40 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
j. Click on the Tunnel Settings tab.<br />
The Tunnel Settings tab is displayed.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 41
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
k. Click The tunnel endpoint is specified by this IP Address.<br />
l. In the text box, type the <strong>Windows</strong> machine’s IP address.<br />
m. Click on the Connection Type tab.<br />
The Connection Type tab is displayed.<br />
42 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
n. Click All network connections.<br />
o. Click Close.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
The Properties dialog box reappears, with the Rules tab displayed. The B <strong>to</strong> A filter and its action is<br />
listed in the IP Security Rules area.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 43
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
10. Click Close.<br />
The Local Area Settings window reappears.<br />
44 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s
11. Right-click on the new IP security policy.<br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong><br />
<strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s 45
<strong>Configuring</strong> the Safe@Office Appliance<br />
12. From the pop-up menu, select Assign.<br />
The new security policy is assigned <strong>to</strong> the network adapter.<br />
<strong>Configuring</strong> the Safe@Office Appliance<br />
You must create the <strong>VPN</strong> profile in Safe@ Office. For instructions, see the SofaWare S-box Getting Started<br />
Guide, “Adding and Editing <strong>VPN</strong> <strong>Site</strong>s using SofaWare Safe@Office”, page 102.<br />
Note: While creating the <strong>VPN</strong> profile, you must select Specify Configuration in the<br />
<strong>VPN</strong> Network Configuration dialog box. Topology download is not supported.<br />
Note: In Restricted mode, in order <strong>to</strong> <strong>for</strong>ward encrypted traffic <strong>to</strong> hosts behind the<br />
Safe@ gateway, you must define Virtual Server and/or Allow rules. You must select<br />
the <strong>VPN</strong> Only check box <strong>for</strong> those rules.<br />
46 <strong>Configuring</strong> <strong>Windows</strong> <strong>2000</strong>/<strong>XP</strong> IPsec <strong>for</strong> <strong>Site</strong>-<strong>to</strong>-<strong>Site</strong> <strong>VPN</strong>s