Enabling Preshared Key IPSec: Network Encryption for a Home or Small Business

Audience & Scenario:
You have more then one computer on a small business or home network. Wireless may or may not be involved. All Computers (that you want to protect) are Windows 2000 or Windows XP. You would like to encrypt your file sharing and communication traffic between these Windows PCs without a lot of work. You would like this all to be seamless after you’ve initially set it up.

Summary of Tasks:
We will be using IPSec with a private ‘shared key’ to encrypt all traffic between these computers. This will greatly increase the security for wireless networks because someone will no longer be able to ‘sniff’ your packets from a wireless computer and see what data you are passing back and forth between computers, which is all normally in clear text on a open wireless connection.

What is IPSec:
IPSec is a standard specification that allows computers, when enabled and configured, to communicate using TCP/IP with authenication and encryption to protect the data inside each packet. The most popular use for IPSec is for IPSec VPN’s, but this feature is available to any Windows PC 2000 or XP, and doesn’t require a VPN to work. IPSec also normally uses x509 Certificates to encrypt and validate the data, but this function requires a much more complicated configuration. We will be implementing a shared key version of IPSec that doesn’t require certificates or any of the complicated setup. This is not the most efficient or secure way to use IPSec, but it’s better then NOT using it.

What this Doesn’t Do:

  • We will have to enable IPSec in explicit mode, meaning that it will ask to communicate with another computer securely, but if the other computer doesn’t have the private key it will still allow communications without IPSec. This means that any traffic to the web, or any host without IPSec configured in this way will be unencrypted, and subject to sniffing.
  • This doesn’t not keep people from accessing your network or systems. This is not a replacement for a firewall, or using WEP, WPA, 802.1x, and/or MAC filtering on your wireless access point, nor is it a replacement for strong user passwords. This is an ADDITIONAL step that can be taken to secure your network traffic from onlookers. There is no substitute for ‘boundary access control’.

Steps:

  • On the first computer, create a text file and type random keyboard characters into it until you have at least 100 characters. This will be your ‘key’ or password that each computer will use to communicate. The longer the key the better. Save this file on a CD-R or floppy so it’s not easy accessible to anyone. You can always print it out for a backup as well.
  • Open the Local Security Policy. In XP, you can find this in the control panel under Administrative Tools (be sure the control panel is in classic view).
  • Right Click ‘IP Security Policies on Local Computer’ and select ‘Create IP Security Policy’
  • Name your security “Shared Key IPSec” or something similar.
  • Leave the ‘Activate the default response rule’ checked.
  • Select ‘Use this string to protect…..’ and copy your preshared key that you saved in a text file into this area.
  • Uncheck Edit Properties and select Finish.
  • You have now enabled IPSec to encrypt traffic on that pc to any pc that requests IPSec be used and also has that preshared key. You now need to do these same steps on each pc that you want to communicate via IPSec.

    References:

    Using IPSec in Windows 2000 and XP, Part One

    Using IPSec in Windows and XP, Part Two

    Using IPSec in Windows 2000 and XP: Part Three

    HOW TO: Configure a Preshared Key