1 Project description
IPSec secured connection between 2 Clients with IPv6 based on the extended Microsoft rewall security settings.
2 Problem description
Based on the following documentation
http://technet.microsoft.com/library/bb878063
we detected a measurement deviation between the documentation and our own sniffer-traces (as an attachment in the folder)
Due to the visibility of ESP- Packets, we assume that the functionality is not affected.
3 Experimental setup
_ Client 1 : Windows 7 Professional
_ Client 2 : Windows 7 Professional
_ Server : Windows 2012 R2
_ Sniffer : 1 Wireshark Sniffer in each network segment
4 Network plan
5 Client settings
5.1 Certificate
We have used the MMC to request a new computer certificate after we imported the root certificate to the trust certificate location.
5.2 Network security settings
_ Rule type: Server to Server
_ End points: Our IP addresses
_ Requirements: Authentication is necessary
_ Authentication method: Advanced -then- computer certificate of the certificate authority -then- Using the root certificate.
_ Applying the next steps with the standard settings.
6 Windows Server 2012 R2 installed roles
_ AD DS
_ AD CS We used the standard settings on both roles.
_ File and storage services
_ DNS
_ IIS
7 Wireshark sniffer traces
The number of ISAKMP packets alternates in all our sniffer traces. We had always more than 10 packets but less than 14 packets.
Below you can see two of our sniffer traces.
8 Detailed failure description
The pictures show the documented flow for a certificate based authentication.
It was found in a technet article.
You can find the article in the PDF called technet ike.pdf.
Based on the documented flow and our measurement, we have collected the following divergence
We used ws_2 as origin for show the divergence:
_ The first and the second packet seemed to be equal to the documented flow.
_ The third packet contains the FQDN of the client, not the documented Diffi-hellman
key exchange.
_ The fourth packet contains a certificate, no key exchange and no nonce.
_ The fifth packet is not encrypted.
_ The sixth packet is not encrypted.
_ Packets seven to ten are encrypted.
There are two IPv6 data packets, they seemed to include certificates in clear text.
This picture show a section of the 25. packet from ws 1.pcapng.
9 Summary
We have determine:
_ We can encrypt the Communication.
_ There are ISAKMP packets on the line.
_ Its seems that there are certificates in Cleartext on the line.
10 Questions
We have the following questions:
_ Is our measurement correct?
_ If not, how should the Auth. Flow in Win 7 and 8 Server 2012 and r2, look like?
_ Which kind of Data include the IPv6 packets next to the ISAKMP packets, for
example ws 2pcapng packet 25.
_ In which Packets is the Diffi-Hellmann key exchange?
_ There are some packets with an unknown exchange type (243,244,245), which kind of Data is inside these Packets?
_ Which Version of Ike is used, IkeV1 or IkeV2?
regards Martin