The Windows XP client should be similar to that found in Windows 2000, and
hopefully Windows 2003. IPsec configuration is performed through the
Microsoft Management Console (mmc). To start
mmc, perform the following steps:
- click on Start
- click on Run
- press ENTER
You should now see something like this:
Adding the Security Policy Management Snap-in
File | Add/Remove Snap-in....
Add... and scroll down to and click on
IP Security Policy Management. You should see this:
Then you need to select the local computer and click on Finish:
If you are running XP, you should also select the
IP security Monitor snap-in and click add.
Then click on Close. You should now see this:
Click on OK, and you'll be back at
mmc but with two new
NOTE: if you click on
IP Security Policies on Local Computer
you will see this:
Creating the IP Security Policy
We are now going to create the IP Security Policy we will use on this
laptop. Start this process by right clicking on
IP Security Policies on Local Computer and
Create IP Security Policy. This
will invoke the IP Security Policy Wizard.
Give your policy a name (I called mine My WIFI Security Policy) and a description:
Be sure to uncheck
Activate the default response rule.
Edit Properties. Then click Finish.
You now have a security policy, although it has no content.. Now we will
define filter lists for the inbound and outbound traffic.
Create the Outbound filter
Start by right clicking on
IP Security Policies on Local Computer
Manage IP filter lists and filter actions... and
you should see this:
Add and you will see this:
Add and name your filter list (I called mine
OutboundIPsec). This is what you should see:
Now we need to add define the filter contents. Click on add and you'll
IP Filter Wizard:
Click on Next and select the Traffic Source. You want
My IP address:
Click on Next and select the Traffic Destination. You want
Any IP address:
Protocal type is
Be sure to check the
Edit Properties box:
When you get to the
Filter properties window, be sure
Mirrored. This is important.
Now you should be back at the
IP Filter List window.
Your filter should be listed in the
After you clicked OK, you should see this:
You have now created your outbound filter list. Now we will create a similar
list for the inbound traffic.
Create the Inbound filter
You have just created the outbound filter. Now repeat the same steps again
but for inbound traffic. The differences will be:
Any IP Address for the
My IP address for the
Remember to check
Edit Properties and to uncheck
Mirrored. After completion, you should see this:
As Timothy Ham cautioned, pay attention to what have now. You should have two entries
IP Filter Lists. Each list should contain one rule.
You should not have one Filter List, with two rules. Verify that the two filters
are not mirrored. Click on Close and you should be back at the MMC console.
Using the filters
So far we have:
- created a security policy
- added an outbound filter list
- added an inbound filter list
Creating the Outbound Security Rule
Now we will start using the filter lists. Double click on
My WIFI Security Policy and you should see this:
Click on add to start up the Security Rule Wizard:
Click Next, and you will see the Tunnel Endpoint window. Click on
The tunnel endpoint is specified by this IP address
and supply the IP address of your gateway (for me, that's 10.0.0.1).
Click on Next, and specify the type of traffic that must be encrypted.
Local Area Network (LAN). I'm
All network connections would work as well.
Click on Next and select the Authentication Method. We will be using preshared keys.
Enter your key on in the space provided. For testing purposes, I used the word
Click Next, and you'll be asked to select the Filter List against which this
security rule should apply. Choose
Click on Next. Select the action for this security rule. In this case,
Require Security. We do not want any
traffic to pass unless it is IPsec (note: DHCP etc will still
get through without IPsec).
Click on Next, and you will see the last window in the Security Rule Wizard.
Edit Properties is off, and click Finish.
Your policy properties should now look like this:
Creating the Inbound Security Rule
You should now repeat the same steps again, but for the Inbound traffic. The differences
- The tunnel endpoint should be the IP address of this PC.
- Apply this rule to the InboundIPsec filter list
Once you have completed this, your policy properties should look like this:
All done, save the results
Here is what your MMC console should look like now:
You will note that the
Policy Assigned column contains No. That means
your policy is not in effect. We will change that soon.
Save your data using
File | Save. I named my file