Using IPSec between two local link hosts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using IPSec between two local link hosts

Caution

• This implementation of IPSec for IPv6 is not recommended for use in a production environment because it relies on static keying and has no provisions for updating keys upon sequence number reuse.

• When you manually configure Security Parameters Indexes (SPIs), always use random numbers. Do not use sequential numbers for SPIs, or you will compromise the security of your IPSec for IPv6 policies.

• The IPv6 protocol for the Windows Server 2003 family does not support the use of IPSec Encapsulating Security Payload (ESP) encryption. However, the use of ESP with NULL encryption is supported. Although NULL encryption uses the ESP header, only data origin authentication and data integrity services are provided.

This configuration creates an IPSec security association (SA) between two hosts on the same subnet. The SA performs authentication by using the Authentication Header (AH) and the Message Digest 5 (MD5) hashing algorithm. In this example, the configuration secures all traffic between two neighboring hosts. Host 1 has the link-local address of FE80::2AA:FF:FE53:A92C, and Host 2 has the link-local address of FE80::2AA:FF:FE92:D0F1.

1. On Host 1, create blank security association (.sad) and security policy (.spd) files by using the ipsec6 s command. In this example, the Ipsec6.exe command is ipsec6 s test. This creates two files with blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd).

2. On Host 1, edit the .spd file, adding a security policy that secures all traffic between Host 1 and Host 2.

   The following table shows the security policy entry that is added to Test.spd before the first entry (the first entry in Test.spd is not modified):

   .spd file field name	Example value
   Policy	2
   RemoteIPAddr	- FE80::2AA:FF:FE92:D0F1
   LocalIPAddr	- *
   Protocol	- *
   RemotePort	- *
   LocalPort	- *
   IPSecProtocol	AH
   IPSecMode	TRANSPORT
   RemoteGWIPAddr	*
   SABundleIndex	NONE
   Direction	BIDIRECT
   Action	APPLY
   InterfaceIndex	0

   Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.

3. On Host 1, edit the .sad file, adding SA entries to secure all traffic between Host 1 and Host 2. Two security associations must be created, one for traffic to Host 2 and one for traffic from Host 2.

   The following table shows the first SA entry that is added to Test.sad (for traffic to Host 2):

   .sad file field name	Example value
   SAEntry	2
   SPI	3001
   SADestIPAddr	FE80::2AA:FF:FE92:D0F1
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	Test.key
   Direction	OUTBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA.

   The following table shows the second SA entry that is added to Test.sad (for traffic from Host 2):

   .sad file field name	Example value
   SAEntry	1
   SPI	3000
   SADestIPAddr	FE80::2AA:FF:FE53:A92C
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	Test.key
   Direction	INBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.

4. On Host 1, create a file that contains data used to create and validate the Message Digest 5 (MD5) keyed hash on each IPSec-protected packet that is exchanged with Host 2. In this example, a text file is used. Test.key is created with the contents This is a test. There are no extra characters, spaces, or lines.

   The IPv6 protocol supports only manually configured keys for quick mode SAs (also known as IPSec or Phase II SAs), because main mode negotiation through Internet Key Exchange (IKE) is not performed. Manual keys are configured by creating files that contain either the text or binary data of the manual key. In this example, the same key for the SAs is used in both directions. You can use different keys for inbound and outbound SAs by creating different key files and referencing them with the KeyFile field in the .sad file.

5. On Host 2, use the ipsec6 s command to create blank security association (.sad) and security policy (.spd) files. In this example, the Ipsec6.exe command is ipsec6 s test. This creates two files with blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd).

   To simplify the example, the same file names for the .sad and .spd files are used on Host 2. You can choose to use different file names on each host.

6. On Host 2, edit the .spd file, adding a security policy that secures all traffic between Host 2 and Host 1.

   The following table shows the security policy entry that is added to Test.spd before the first entry (the first entry in Test.spd is not modified):

   .spd file field name	Example value
   Policy	2
   RemoteIPAddr	- FE80::2AA:FF:FE53:A92C
   LocalIPAddr	- *
   Protocol	- *
   RemotePort	- *
   LocalPort	- *
   IPSecProtocol	AH
   IPSecMode	TRANSPORT
   RemoteGWIPAddr	*
   SABundleIndex	NONE
   Direction	BIDIRECT
   Action	APPLY
   InterfaceIndex	0

   Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.

7. On Host 2, edit the .sad file, adding SA entries to secure all traffic between Host 2 and Host 1. Two security associations must be created: one for traffic to Host 1 and one for traffic from Host 1.

   The following table shows the first SA entry that is added to Test.sad (for traffic to Host 1):

   .sad file field name	Example value
   SAEntry	2
   SPI	3000
   SADestIPAddr	FE80::2AA:FF:FE53:A92C
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	Test.key
   Direction	OUTBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA.

   The following table shows the second SA entry that is added to Test.sad (for traffic from Host 1):

   .sad file field name	Example value
   SAEntry	1
   SPI	3001
   SADestIPAddr	FE80::2AA:FF:FE92:D0F1
   DestIPAddr	POLICY
   SrcIPAddr	POLICY
   Protocol	POLICY
   DestPort	POLICY
   SrcPort	POLICY
   AuthAlg	HMAC-MD5
   KeyFile	Test.key
   Direction	INBOUND
   SecPolicyIndex	2

   Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.

8. On Host 2, create a text file that contains a text string that is used to authenticate the SAs created with Host 1. In this example, Test.key is created with the contents This is a test. There are no extra characters, spaces, or lines.

9. On Host 1, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. In this example, the ipsec6 l test command is run on Host 1.

10. On Host 2, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. In this example, the ipsec6 l test command is run on Host 2.

11. On Host 2, use the ping command to ping Host 1's link-local address.

    If you use Network Monitor to capture the traffic, you should see the exchange of ICMPv6 Echo Request and Echo Reply messages, with an Authentication Header (AH) listed between the IPv6 header and the ICMPv6 header.

For additional information about configurations, see IPv6 Configurations.

For information about using IPv6 in a test lab, see Setting up an IPv6 Test Lab.