PDA

View Full Version : VPN tunnel question

Miha
11-05-2005, 08:43 AM
Hello



In our company we need to establish a secure VPN channel with outside
company in other country. They had already configured a VPN server (running
on WinNT) and sent us the following information so we could configure a VPN
client to connect.



Authentication method: pre-share secret

Key-change for encryption domain: yes



IKE (phase 1):

Encryption algorithm AES-256

'Condensation' function SHA-1

Diffie Helman group: 1024 bit

>Agressive mode< no

Key lifetime for phase1 1440 min



IKE (phase 2):

Encryption algorithm AES-256

'Condensation' function SHA-1

>Perfect Forward Secrecy enabled< no

PFS DH group: 1024 bit

>IP compression< no

>IPSEC SA Lifetime< 3600 s





I'm pretty confused of the information we got from them, because as far as I
know this aren't settings that could normally be configure for a VPN client.

Is this possible and how could be done or do we need to configure a
site-site VPN tunnel to achieve that kind of functionality.

I would be very thankful for all the information and tips how to do this

Thank you all in advance



Regards

Miha
Miha Pihler [MVP]
11-05-2005, 11:22 AM
Information provided in used for Site-to-Site VPN.

--
Miha
Microsoft MVP - Windows Security

"Miha" <miha.bernik@email.si> wrote in message
news:%23PA8AUe4FHA.1276@TK2MSFTNGP09.phx.gbl...
> Hello
>
>
>
> In our company we need to establish a secure VPN channel with outside
> company in other country. They had already configured a VPN server
> (running on WinNT) and sent us the following information so we could
> configure a VPN client to connect.
>
>
>
> Authentication method: pre-share secret
>
> Key-change for encryption domain: yes
>
>
>
> IKE (phase 1):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
> Diffie Helman group: 1024 bit
>
>>Agressive mode< no
>
> Key lifetime for phase1 1440 min
>
>
>
> IKE (phase 2):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
>>Perfect Forward Secrecy enabled< no
>
> PFS DH group: 1024 bit
>
>>IP compression< no
>
>>IPSEC SA Lifetime< 3600 s
>
>
>
>
>
> I'm pretty confused of the information we got from them, because as far as
> I know this aren't settings that could normally be configure for a VPN
> client.
>
> Is this possible and how could be done or do we need to configure a
> site-site VPN tunnel to achieve that kind of functionality.
>
> I would be very thankful for all the information and tips how to do this
>
> Thank you all in advance
>
>
>
> Regards
>
> Miha
>
>
Miha Pihler [MVP]
11-05-2005, 11:22 AM
Information provided in used for Site-to-Site VPN.

--
Miha
Microsoft MVP - Windows Security

"Miha" <miha.bernik@email.si> wrote in message
news:%23PA8AUe4FHA.1276@TK2MSFTNGP09.phx.gbl...
> Hello
>
>
>
> In our company we need to establish a secure VPN channel with outside
> company in other country. They had already configured a VPN server
> (running on WinNT) and sent us the following information so we could
> configure a VPN client to connect.
>
>
>
> Authentication method: pre-share secret
>
> Key-change for encryption domain: yes
>
>
>
> IKE (phase 1):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
> Diffie Helman group: 1024 bit
>
>>Agressive mode< no
>
> Key lifetime for phase1 1440 min
>
>
>
> IKE (phase 2):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
>>Perfect Forward Secrecy enabled< no
>
> PFS DH group: 1024 bit
>
>>IP compression< no
>
>>IPSEC SA Lifetime< 3600 s
>
>
>
>
>
> I'm pretty confused of the information we got from them, because as far as
> I know this aren't settings that could normally be configure for a VPN
> client.
>
> Is this possible and how could be done or do we need to configure a
> site-site VPN tunnel to achieve that kind of functionality.
>
> I would be very thankful for all the information and tips how to do this
>
> Thank you all in advance
>
>
>
> Regards
>
> Miha
>
>
Miha
11-05-2005, 12:21 PM
Miha thank's for the reply.
Since on the other side they have a WinNT server, on our side it is a
Win2003 could there be any complications or is it better to implement also
at our side a WinNT server?
Regards
Miha

"Miha Pihler [MVP]" <mihap-news@atlantis.si> je napisal v sporočilo
news:e707psf4FHA.1188@TK2MSFTNGP12.phx.gbl ...
> Information provided in used for Site-to-Site VPN.
>
> --
> Miha
> Microsoft MVP - Windows Security
>
> "Miha" <miha.bernik@email.si> wrote in message
> news:%23PA8AUe4FHA.1276@TK2MSFTNGP09.phx.gbl...
>> Hello
>>
>>
>>
>> In our company we need to establish a secure VPN channel with outside
>> company in other country. They had already configured a VPN server
>> (running on WinNT) and sent us the following information so we could
>> configure a VPN client to connect.
>>
>>
>>
>> Authentication method: pre-share secret
>>
>> Key-change for encryption domain: yes
>>
>>
>>
>> IKE (phase 1):
>>
>> Encryption algorithm AES-256
>>
>> 'Condensation' function SHA-1
>>
>> Diffie Helman group: 1024 bit
>>
>>>Agressive mode< no
>>
>> Key lifetime for phase1 1440 min
>>
>>
>>
>> IKE (phase 2):
>>
>> Encryption algorithm AES-256
>>
>> 'Condensation' function SHA-1
>>
>>>Perfect Forward Secrecy enabled< no
>>
>> PFS DH group: 1024 bit
>>
>>>IP compression< no
>>
>>>IPSEC SA Lifetime< 3600 s
>>
>>
>>
>>
>>
>> I'm pretty confused of the information we got from them, because as far
>> as I know this aren't settings that could normally be configure for a VPN
>> client.
>>
>> Is this possible and how could be done or do we need to configure a
>> site-site VPN tunnel to achieve that kind of functionality.
>>
>> I would be very thankful for all the information and tips how to do this
>>
>> Thank you all in advance
>>
>>
>>
>> Regards
>>
>> Miha
>>
>>
>
>
Miha
11-05-2005, 12:21 PM
Miha thank's for the reply.
Since on the other side they have a WinNT server, on our side it is a
Win2003 could there be any complications or is it better to implement also
at our side a WinNT server?
Regards
Miha

"Miha Pihler [MVP]" <mihap-news@atlantis.si> je napisal v sporočilo
news:e707psf4FHA.1188@TK2MSFTNGP12.phx.gbl ...
> Information provided in used for Site-to-Site VPN.
>
> --
> Miha
> Microsoft MVP - Windows Security
>
> "Miha" <miha.bernik@email.si> wrote in message
> news:%23PA8AUe4FHA.1276@TK2MSFTNGP09.phx.gbl...
>> Hello
>>
>>
>>
>> In our company we need to establish a secure VPN channel with outside
>> company in other country. They had already configured a VPN server
>> (running on WinNT) and sent us the following information so we could
>> configure a VPN client to connect.
>>
>>
>>
>> Authentication method: pre-share secret
>>
>> Key-change for encryption domain: yes
>>
>>
>>
>> IKE (phase 1):
>>
>> Encryption algorithm AES-256
>>
>> 'Condensation' function SHA-1
>>
>> Diffie Helman group: 1024 bit
>>
>>>Agressive mode< no
>>
>> Key lifetime for phase1 1440 min
>>
>>
>>
>> IKE (phase 2):
>>
>> Encryption algorithm AES-256
>>
>> 'Condensation' function SHA-1
>>
>>>Perfect Forward Secrecy enabled< no
>>
>> PFS DH group: 1024 bit
>>
>>>IP compression< no
>>
>>>IPSEC SA Lifetime< 3600 s
>>
>>
>>
>>
>>
>> I'm pretty confused of the information we got from them, because as far
>> as I know this aren't settings that could normally be configure for a VPN
>> client.
>>
>> Is this possible and how could be done or do we need to configure a
>> site-site VPN tunnel to achieve that kind of functionality.
>>
>> I would be very thankful for all the information and tips how to do this
>>
>> Thank you all in advance
>>
>>
>>
>> Regards
>>
>> Miha
>>
>>
>
>
Steven L Umbach
11-05-2005, 04:12 PM
That would be for an ipsec tunnel policy The link below may help. Phase 1
is also called main mode and phase 2 quick mode. Also Windows 2000 does not
support AES for ipsec. 3DES is the strongest it can use though if you have
an endpoint firewall device it might. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;252735

"Miha" <miha.bernik@email.si> wrote in message
news:%23PA8AUe4FHA.1276@TK2MSFTNGP09.phx.gbl...
> Hello
>
>
>
> In our company we need to establish a secure VPN channel with outside
> company in other country. They had already configured a VPN server
> (running on WinNT) and sent us the following information so we could
> configure a VPN client to connect.
>
>
>
> Authentication method: pre-share secret
>
> Key-change for encryption domain: yes
>
>
>
> IKE (phase 1):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
> Diffie Helman group: 1024 bit
>
>>Agressive mode< no
>
> Key lifetime for phase1 1440 min
>
>
>
> IKE (phase 2):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
>>Perfect Forward Secrecy enabled< no
>
> PFS DH group: 1024 bit
>
>>IP compression< no
>
>>IPSEC SA Lifetime< 3600 s
>
>
>
>
>
> I'm pretty confused of the information we got from them, because as far as
> I know this aren't settings that could normally be configure for a VPN
> client.
>
> Is this possible and how could be done or do we need to configure a
> site-site VPN tunnel to achieve that kind of functionality.
>
> I would be very thankful for all the information and tips how to do this
>
> Thank you all in advance
>
>
>
> Regards
>
> Miha
>
>
Steven L Umbach
11-05-2005, 04:12 PM
That would be for an ipsec tunnel policy The link below may help. Phase 1
is also called main mode and phase 2 quick mode. Also Windows 2000 does not
support AES for ipsec. 3DES is the strongest it can use though if you have
an endpoint firewall device it might. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;252735

"Miha" <miha.bernik@email.si> wrote in message
news:%23PA8AUe4FHA.1276@TK2MSFTNGP09.phx.gbl...
> Hello
>
>
>
> In our company we need to establish a secure VPN channel with outside
> company in other country. They had already configured a VPN server
> (running on WinNT) and sent us the following information so we could
> configure a VPN client to connect.
>
>
>
> Authentication method: pre-share secret
>
> Key-change for encryption domain: yes
>
>
>
> IKE (phase 1):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
> Diffie Helman group: 1024 bit
>
>>Agressive mode< no
>
> Key lifetime for phase1 1440 min
>
>
>
> IKE (phase 2):
>
> Encryption algorithm AES-256
>
> 'Condensation' function SHA-1
>
>>Perfect Forward Secrecy enabled< no
>
> PFS DH group: 1024 bit
>
>>IP compression< no
>
>>IPSEC SA Lifetime< 3600 s
>
>
>
>
>
> I'm pretty confused of the information we got from them, because as far as
> I know this aren't settings that could normally be configure for a VPN
> client.
>
> Is this possible and how could be done or do we need to configure a
> site-site VPN tunnel to achieve that kind of functionality.
>
> I would be very thankful for all the information and tips how to do this
>
> Thank you all in advance
>
>
>
> Regards
>
> Miha
>
>