Enabling Preshared Key IPSec: Network Encryption for a Home or Small Business
Audience & Scenario:
You have more then one computer on a small business or home network. Wireless may or may not be involved. All Computers (that you want to protect) are Windows 2000 or Windows XP. You would like to encrypt your file sharing and communication traffic between these Windows PCs without a lot of work. You would like this all to be seamless after you’ve initially set it up.
Summary of Tasks:
We will be using IPSec with a private ‘shared key’ to encrypt all traffic between these computers. This will greatly increase the security for wireless networks because someone will no longer be able to ‘sniff’ your packets from a wireless computer and see what data you are passing back and forth between computers, which is all normally in clear text on a open wireless connection.
What is IPSec:
IPSec is a standard specification that allows computers, when enabled and configured, to communicate using TCP/IP with authenication and encryption to protect the data inside each packet. The most popular use for IPSec is for IPSec VPN’s, but this feature is available to any Windows PC 2000 or XP, and doesn’t require a VPN to work. IPSec also normally uses x509 Certificates to encrypt and validate the data, but this function requires a much more complicated configuration. We will be implementing a shared key version of IPSec that doesn’t require certificates or any of the complicated setup. This is not the most efficient or secure way to use IPSec, but it’s better then NOT using it.
What this Doesn’t Do:
- We will have to enable IPSec in explicit mode, meaning that it will ask to communicate with another computer securely, but if the other computer doesn’t have the private key it will still allow communications without IPSec. This means that any traffic to the web, or any host without IPSec configured in this way will be unencrypted, and subject to sniffing.
<li>This doesn’t not keep people from accessing your network or systems. This is not a replacement for a firewall, or using WEP, WPA, 802.1x, and/or MAC filtering on your wireless access point, nor is it a replacement for strong user passwords. This is an ADDITIONAL step that can be taken to secure your network traffic from onlookers. There is no substitute for ‘boundary access control’.</li></ul>
Steps:
You have now enabled IPSec to encrypt traffic on that pc to any pc that requests IPSec be used and also has that preshared key. You now need to do these same steps on each pc that you want to communicate via IPSec.
References:
Using IPSec in Windows 2000 and XP, Part One
Using IPSec in Windows and XP, Part Two
Using IPSec in Windows 2000 and XP: Part Three