Using IPSec between two local link hosts

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Caution

  • This implementation of IPSec for IPv6 is not recommended for use in a production environment because it relies on static keying and has no provisions for updating keys upon sequence number reuse.

  • When you manually configure Security Parameters Indexes (SPIs), always use random numbers. Do not use sequential numbers for SPIs, or you will compromise the security of your IPSec for IPv6 policies.

  • The IPv6 protocol for the Windows Server 2003 family does not support the use of IPSec Encapsulating Security Payload (ESP) encryption. However, the use of ESP with NULL encryption is supported. Although NULL encryption uses the ESP header, only data origin authentication and data integrity services are provided.

This configuration creates an IPSec security association (SA) between two hosts on the same subnet. The SA performs authentication by using the Authentication Header (AH) and the Message Digest 5 (MD5) hashing algorithm. In this example, the configuration secures all traffic between two neighboring hosts. Host 1 has the link-local address of FE80::2AA:FF:FE53:A92C, and Host 2 has the link-local address of FE80::2AA:FF:FE92:D0F1.

  1. On Host 1, create blank security association (.sad) and security policy (.spd) files by using the ipsec6 s command. In this example, the Ipsec6.exe command is ipsec6 s test. This creates two files with blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd).

  2. On Host 1, edit the .spd file, adding a security policy that secures all traffic between Host 1 and Host 2.

    The following table shows the security policy entry that is added to Test.spd before the first entry (the first entry in Test.spd is not modified):

    .spd file field name Example value

    Policy

    2

    RemoteIPAddr

    - FE80::2AA:FF:FE92:D0F1

    LocalIPAddr

    - *

    Protocol

    - *

    RemotePort

    - *

    LocalPort

    - *

    IPSecProtocol

    AH

    IPSecMode

    TRANSPORT

    RemoteGWIPAddr

    *

    SABundleIndex

    NONE

    Direction

    BIDIRECT

    Action

    APPLY

    InterfaceIndex

    0

    Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.

  3. On Host 1, edit the .sad file, adding SA entries to secure all traffic between Host 1 and Host 2. Two security associations must be created, one for traffic to Host 2 and one for traffic from Host 2.

    The following table shows the first SA entry that is added to Test.sad (for traffic to Host 2):

    .sad file field name Example value

    SAEntry

    2

    SPI

    3001

    SADestIPAddr

    FE80::2AA:FF:FE92:D0F1

    DestIPAddr

    POLICY

    SrcIPAddr

    POLICY

    Protocol

    POLICY

    DestPort

    POLICY

    SrcPort

    POLICY

    AuthAlg

    HMAC-MD5

    KeyFile

    Test.key

    Direction

    OUTBOUND

    SecPolicyIndex

    2

    Type a semicolon at the end of the entry configuring this SA.

    The following table shows the second SA entry that is added to Test.sad (for traffic from Host 2):

    .sad file field name Example value

    SAEntry

    1

    SPI

    3000

    SADestIPAddr

    FE80::2AA:FF:FE53:A92C

    DestIPAddr

    POLICY

    SrcIPAddr

    POLICY

    Protocol

    POLICY

    DestPort

    POLICY

    SrcPort

    POLICY

    AuthAlg

    HMAC-MD5

    KeyFile

    Test.key

    Direction

    INBOUND

    SecPolicyIndex

    2

    Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.

  4. On Host 1, create a file that contains data used to create and validate the Message Digest 5 (MD5) keyed hash on each IPSec-protected packet that is exchanged with Host 2. In this example, a text file is used. Test.key is created with the contents This is a test. There are no extra characters, spaces, or lines.

    The IPv6 protocol supports only manually configured keys for quick mode SAs (also known as IPSec or Phase II SAs), because main mode negotiation through Internet Key Exchange (IKE) is not performed. Manual keys are configured by creating files that contain either the text or binary data of the manual key. In this example, the same key for the SAs is used in both directions. You can use different keys for inbound and outbound SAs by creating different key files and referencing them with the KeyFile field in the .sad file.

  5. On Host 2, use the ipsec6 s command to create blank security association (.sad) and security policy (.spd) files. In this example, the Ipsec6.exe command is ipsec6 s test. This creates two files with blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd).

    To simplify the example, the same file names for the .sad and .spd files are used on Host 2. You can choose to use different file names on each host.

  6. On Host 2, edit the .spd file, adding a security policy that secures all traffic between Host 2 and Host 1.

    The following table shows the security policy entry that is added to Test.spd before the first entry (the first entry in Test.spd is not modified):

    .spd file field name Example value

    Policy

    2

    RemoteIPAddr

    - FE80::2AA:FF:FE53:A92C

    LocalIPAddr

    - *

    Protocol

    - *

    RemotePort

    - *

    LocalPort

    - *

    IPSecProtocol

    AH

    IPSecMode

    TRANSPORT

    RemoteGWIPAddr

    *

    SABundleIndex

    NONE

    Direction

    BIDIRECT

    Action

    APPLY

    InterfaceIndex

    0

    Type a semicolon at the end of the entry configuring this security policy. Policy entries must be placed in decreasing numerical order.

  7. On Host 2, edit the .sad file, adding SA entries to secure all traffic between Host 2 and Host 1. Two security associations must be created: one for traffic to Host 1 and one for traffic from Host 1.

    The following table shows the first SA entry that is added to Test.sad (for traffic to Host 1):

    .sad file field name Example value

    SAEntry

    2

    SPI

    3000

    SADestIPAddr

    FE80::2AA:FF:FE53:A92C

    DestIPAddr

    POLICY

    SrcIPAddr

    POLICY

    Protocol

    POLICY

    DestPort

    POLICY

    SrcPort

    POLICY

    AuthAlg

    HMAC-MD5

    KeyFile

    Test.key

    Direction

    OUTBOUND

    SecPolicyIndex

    2

    Type a semicolon at the end of the entry configuring this SA.

    The following table shows the second SA entry that is added to Test.sad (for traffic from Host 1):

    .sad file field name Example value

    SAEntry

    1

    SPI

    3001

    SADestIPAddr

    FE80::2AA:FF:FE92:D0F1

    DestIPAddr

    POLICY

    SrcIPAddr

    POLICY

    Protocol

    POLICY

    DestPort

    POLICY

    SrcPort

    POLICY

    AuthAlg

    HMAC-MD5

    KeyFile

    Test.key

    Direction

    INBOUND

    SecPolicyIndex

    2

    Type a semicolon at the end of the entry configuring this SA. SA entries must be placed in decreasing numerical order.

  8. On Host 2, create a text file that contains a text string that is used to authenticate the SAs created with Host 1. In this example, Test.key is created with the contents This is a test. There are no extra characters, spaces, or lines.

  9. On Host 1, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. In this example, the ipsec6 l test command is run on Host 1.

  10. On Host 2, use the ipsec6 l command to add the configured security policies and SAs from the .spd and .sad files. In this example, the ipsec6 l test command is run on Host 2.

  11. On Host 2, use the ping command to ping Host 1's link-local address.

    If you use Network Monitor to capture the traffic, you should see the exchange of ICMPv6 Echo Request and Echo Reply messages, with an Authentication Header (AH) listed between the IPv6 header and the ICMPv6 header.

For additional information about configurations, see IPv6 Configurations.

For information about using IPv6 in a test lab, see Setting up an IPv6 Test Lab.