Thursday, June 23, 2011

Network Privacy and Attack Surface Reduction In the Cloud With Meshed IPsec Topologies

Morpheus: What can you see, Neo?
Neo: It's strange... the code is somehow different.
Morpheus: Encrypted?
Neo: Maybe.
- The Matrix Reloaded (2003)

Running on a platform which you trust very little (or perhaps not at all) - with the possibility of neighbors you trust even less - is an interesting security problem. It is this aspect of cloud computing, perhaps, that gives rise to much of the security controversy.

In the physical (non-cloud) world, there are some organizations who already regard their networks as semi-trusted and use meshed IPsec topologies for enhanced privacy. I see no reason why we cannot do the same for back-end systems in the cloud.

Consider this requirements list increasingly advocated by cloud consumers whom desire privacy from their virtual neighbors as well as from the admins and technicians operating the environments;
  1. ensure network traffic among back-end systems is shielded from neighboring virtual machines;
  2. when virtual network security measures fail us due to flaw or misconfiguration
  3. when applications may fail to use SSL
  4. with a minimum of ongoing maintenance and administration
  5. using a technology that can be automated and programmatically managed
This can be accomplished relatively easily using meshed host-to-host IPsec topologies. Host to host IPsec implementations have been available for at least a decade and work well in recent versions of Windows and Red Hat operating systems, among others. There are a number of misconceptions about IPsec under Windows servers;
  • Host to host IPsec does not actually require active directory under Windows unless using Kerberos authentication. Certificates and even shared secrets can be used for keys when no domain is present.
  • IPsec is not disabled or restricted in Server 2008. The canned policies are missing for some reason but they can be configured. A Server 2008 R2 H2H IPSec configuration is shown using netsh at the end of this post.
  • IPsec configuration does not require AD based or GUI management tools. IPsec can be managed using the netsh command line program as well as the local security policy MMC tool.
Windows has an interesting policy model for IPsec including these simple policies:
  • Request security: attempt to negotiate key exchange and use ESP for all traffic; revert to unencrypted communication when negotiation fails.
  • Require security: attempt to negotiate key exchange and use ESP for all traffic; refuse to communicate and drop packets when negotiation fails.
In the second case, a Windows server will refuse to talk to any host it cannot negotiate key exchange with when this policy is applied to all IP traffic. Here is a portscan result of a Windows server with its firewall turned off and a mandatory IPsec policy in place:

[root@localhost ~]# nmap -vv -version-all 192.168.148.28

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-06-22 13:55 PDT
Initiating ARP Ping Scan against 192.168.148.28 [1 port] at 13:55
The ARP Ping Scan took 0.00s to scan 1 total hosts.
DNS resolution of 1 IPs took 0.55s.
Initiating SYN Stealth Scan against 192.168.148.28 [1680 ports] at 13:55
The SYN Stealth Scan took 35.26s to scan 1680 total ports.
Host 192.168.148.28 appears to be up ... good.
All 1680 scanned ports on 192.168.148.28 are filtered
MAC Address: 00:0C:29:52:16:AD (VMware)

Nmap finished: 1 IP address (1 host up) scanned in 35.968 seconds
Raw packets sent: 3361 (147.882KB) | Rcvd: 1 (42B)


The target appears unresponsive because the caller has no key and cannot negotiate IPsec. From another Windows server, confgured to use IPsec with the same shared secret for authentication, a portscan looks normal:

+ 192.168.148.28
|___ 80 World Wide Web HTTP
|___ 135 DCE endpoint resolution
|___ 139 NETBIOS Session Service
|___ 445 Microsoft-DS


With the "require security" policy in effect for all IP traffic, network traffic between these Windows servers is tunneled over IPsec and transparently provides encryption to applications which have never implemented it natively. Here is a trace of an SMB session, for example, over ESP:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:26:36.932065 IP 192.168.148.21 > 192.168.148.28: ESP(spi=0x8bd7076c,seq=0x29), length 60
E..P.I@..2J............l...)..0v......O...{.].h>u*..B..k......n..?9..?.A--LNxe.;
09:26:36.932741 IP 192.168.148.28 > 192.168.148.21: ESP(spi=0xe3802dee,seq=0x1f), length 60
E..P.I@..2K...........-.........P..R.AjI.p.......Q\..:l#.v ..L..b..v...m..n.w...
09:26:36.933253 IP 192.168.148.21 > 192.168.148.28: ESP(spi=0x8bd7076c,seq=0x2a), length 52
E..H.J@..2J............l...*..n..?9...k7.& .[I\L...... ..../=.......S..
09:26:36.934481 IP 192.168.148.21 > 192.168.148.28: ESP(spi=0x8bd7076c,seq=0x2b), length 188
q.Z`H... ..N.....J.N[....6.........W.z..k=X.........K...H&O..F>. ...=....I........V#..R`.{.J...7..[.."....Vz$..
09:26:36.934487 IP 192.168.148.28 > 192.168.148.21: ESP(spi=0xe3802dee,seq=0x20), length 188
.>OQ..^lQ>?......8..d0.&.....3...../....=.!....7eV...%{..Z......{X).._.qSq.!..?...tx%...\a.w..Mf.p.0$.]
09:26:36.936046 IP 192.168.148.21 > 192.168.148.28: ESP(spi=0x8bd7076c,seq=0x2c), length 324
#..Sx..6..w(b... .p...[.........y$p..(.>..pso..4.K<..+..}.MYdI0}...9.+..qn.v>\[."~].]5D....o..-'C...h-.0.8......
3Vw..>....b.<.B$.....V..1@...,.%<..L..a?.`...(...|..d........(N.j...`....&....&.XH.x4...2|D.6.|c.a..U!O.i..Vr.Ng...7[lN.o.PY.u..2H.6....]..<".3...NM"E..&.T 192.168.148.21: ESP(spi=0xe3802dee,seq=0x21), length 516
E....K@..2I...........-....!..2l)..<.E..+.....".L......X5"..'.H..'....n........M....D.!...J.=...3.......8...
...#.ss.Q.2.}..[.rA...R..^..G.r...._..=Kue.e.).X.lE.@..>..I.d.U......_.J.....3....@..Rj.R.6=.../..b.'`;t_^.R...#"u-.`.WU.._..,%.......@..........B...6..L./.}.E.{...._..U-......=.aO."7./....-:Ml..G.X.....|...K...w.d].AZ.K.L......<.5P....=B.3..a0u......>.........}....P.....@....&..P.3.|...d..]...\#V.i(#.+'...x.,vV..c.%....{......I....i3.:..<..,'U.
09:26:36.937607 IP 192.168.148.21 > 192.168.148.28: ESP(spi=0x8bd7076c,seq=0x2d), length 356
.=-Nz...9.J....=..q2....Ab.........3..._.....P...1m..3WJ........ccu{.hz.n.aP.....:-t6...{............P`....:....F..]..@eT..47....v......q.d..... ......}..s..m..:.......Sl]..!g...?W.....m..O........Tg.........fJ.-.!>....!t)} xZO.f......Q......O.{Fyc.ck.H.p.x....`..2gZ..ZP.^..hA.=


Here is part of an HTTP get to an IIS webserver:

10:54:09.171769 IP 192.168.148.28 > 192.168.148.21: ESP(spi=0x88570a73,seq=0x5d), length 1476 E.....@..24..........W s...]U..'4..7..d^.t.(...XAD..b...n.M.N....5>.(..N.H]40.....8C.u... mF1.X..t...\Y.H.......)7c:..t....3n.R..&..=.j.*.....%k......... 4.U.`Z.k.8.I .;...~...h..n.t...<...D......k.].+7.Y.'..v.u...V.p..f&.$.$.-zn.....W?..'..........(.Z..S.K.).L@ ....8...=......tj..A...y........>[.......=(...u6.....C...8.6......C2.......@...|...v.m... ....x>..IhY...*U..n.,..O..E.].*..ph..........%... ...~..\.......S.3..7lw.U.1a....sf...]..2...T<.Y.b..:P!.\*S6.b...a.qj....0].. .J..^.^.e..~K.B.K.{r..N(...[f^.......'m2^.#Du.@..S..4...1Y......m.B.o......./..p..@~.....8".e1.................hGq.V....._...?. .X#z.V...<+ ..........t. ..{...l.a.3.~...|.($h.8.h...}k].(..9.v..z..9j8G.)!h.C..++".f...6........86......@_=...... E...S*.W...7..KV.o=^0H.L......#S.A...........?H.zc...W......R..t/m.../Dsr....T+...j...;x.......1w.E.{..X.....c...8S>...2\.Z...Pl.. ...Qp.k3.Vh..P.Hj..L...n..d^..'...... ...1(2..L.f|}....[....."....@.<|..,x(..F....s;..).m...t6..&H.`8 ..I........5.A ....`,.u..D.;.3..c..X.5C..O..q.N:.K...(&TK.O*......7E.[S6.8.....$z..K%>'.1...bBe...n..V..x-..3F+....r..b9..q...[..9......6X}A5..u....Dwo:G...\...x. 10:54:09.171770 IP 192.168.148.28 > 192.168.148.21: ESP(spi=0x88570a73,seq=0x5e), length 1476 E.....@..24..........W s...^.d. H...l9Z......8.....F..l..w...M.m....FY....&....LfT.=prIQ.u`...@vo..1.<..\/2.... .3..(p.Qa;...+..<0{.O..($N..!..U}...B.+......*.............f....cK...x.+.xIx....(..9..$..l...p. ,.aYi=.......YZ.....Q.d...y)......\......*.G(.J.eY ...2...$.a.h......}...C2;..?MW-..e .......md.....-jf._...M...^2.Z.[G.8.....C.......q.g....a..&....HL.J.2.E=.}.....@..4........ea....P.o........q..*..{.."..6j3.....c.....*..Y,.....T.......Z.q.]k...U.Y.....T.\.......aE*.s.....YAK...eo\...WU'...B.=...;..Z.e.P....8B.T.......N2f... m.....#..x....J.Um...Sd....*x.(C..&C2%G..............+...H.[D.....>./9.`...\..h.u..cN^&Z.8o~.o...n'.F.."9._...4....uU.@:0..=w..>L....lV.4......*&4Q/.....!......Zk.. .].oTh.k..VE...'.pd..S...`....&O!....Y...N;'1.lZ.... 9.....3.`..KI`.,xZ.$.W.c:.|l._......k".S..7b>j...<.;.v..v.O._....a.!. ...MtrZ.?...5A.eCZ........?..Y..V.....u.4.@29.[#c..'G.!@....p..$.e.l.6.@i...Z....0.kO..:..c..._.(;.{C.O.@B:...{.=U-...Y.A.k....oCH.hh&B...._.`....GU....._.X|..8.....!..5... .8\..... ...s..1...p....s....#...W.m..3l..K+V..;....% L.=Hbj6....HT...q.7....Vd.:...4.'..!..;....%.:.O8.O%...Z[....k....!..{^)...@.......~.?..8.d.nK.".u..$.x...?....!.......mxj..t...@...=.......8...~J.....d.K.c9..:Y]*.'&H8..z..(..`..2..sDS...#.fE.2.V.X...G..-.|j].f.U..B.;xg.`.7.8V..$Aj|5..%...n....u....S.^_.>...q>c.^+#.S.^"#3..z.`7Z........._..-...tJ.T6...7$......D 10:54:09.171770 IP 192.168.148.28 > 192.168.148.21: ESP(spi=0x88570a73,seq=0x5f), length 1476 E.....@..24..........W s..._..S.O?...~5...Tf.g%^..!nH...[^.c..;.~.r.]. ......./.H..\......-dD.0.$..iz.o.3......Go...,.*.......p.q,....]...Pt.O.(gGVBP.!..}.......j..x.. 4...j.`.A....^v..>.6.1..;.iP...;.. ,.8..(....A/.4.3l.....@$../.....'..F.]..G....Q......H.......Cg.Y.....[W.K..K......@RF.....l.|....!*......j.E.V..+N.....[. /..l..E/b ...0...1.....*K....g.....y.U.}....w.7..b5U.Oh;..{33DnI ......z...]....Dk....U.zX.5.M.....-`......j.:......O...... .......h.K....r.R.H>...U.^...1../.......k....n.6....l..j..q%.......@...rZ3.M.'.....U...F..`V...cV..F. .qz...%h.......3[.d....s...a.v\...[....=...e......J\.9....LX...1G.~_....\..5@......H.c...n."...*L......H..........M.Z .:..A:........V.L.&.xVR...fR.d...O..N...A.1........./.4.....$.a.}...4.."Z.N^v......j<...6~W.<.....8.ygF"C....y|p.E..5Xj.z......?.7....%.G......$.'94[ .A{We..C...7...[.E.z..........PL.`#.K...O=[D.....R..h.D|..$\.J>?..l...?..K........3...v.E...4!......E.....MH..X....o.(...W{ +....S6eK...t..jZ.L.HL_... .w..O.Pb.Y..Y].... .,.(.....h.F ..g...V..6e.).>....L....O>.lc....H..<;d.C*...w.a.C.cQ.G.#GA.L0..Q.....K\.f.{..,.Y.~m.f.).}.8.........W.I.. O.tIq... I.<04.Zq...W._.?~...(>4.(..N.l}+W.....

Looking at the HTTP related operations in process monitor, it looks like IPsec is implemented beneath the TDI layer(?) Interestingly, winpcap on a Windows server using IPsec seems to operate below or adjacent to the IPsec shims and consequently seems to get only cypertext.

"Time of Day","Process Name","PID","Operation","Path","Result","Detail" "10:54:00.6401995 AM","svchost.exe","772","UDP Receive","WIN-1I4K7VGUUNC:isakmp -> USER-G47DF9096W:isakmp","SUCCESS","Length: 284, seqnum: 0, connid: 0" "10:54:00.6420352 AM","svchost.exe","772","UDP Send","WIN-1I4K7VGUUNC:isakmp -> USER-G47DF9096W:isakmp","SUCCESS","Length: 196, seqnum: 0, connid: 0" "10:54:00.6501661 AM","svchost.exe","772","UDP Receive","WIN-1I4K7VGUUNC:isakmp -> USER-G47DF9096W:isakmp","SUCCESS","Length: 52, seqnum: 0, connid: 0" "10:54:00.6509696 AM","svchost.exe","772","UDP Send","WIN-1I4K7VGUUNC:isakmp -> USER-G47DF9096W:isakmp","SUCCESS","Length: 76, seqnum: 0, connid: 0" "10:54:00.6541610 AM","svchost.exe","772","UDP Receive","WIN-1I4K7VGUUNC:isakmp -> USER-G47DF9096W:isakmp","SUCCESS","Length: 92, seqnum: 0, connid: 0" "10:54:00.6549120 AM","svchost.exe","772","UDP Send","WIN-1I4K7VGUUNC:isakmp -> USER-G47DF9096W:isakmp","SUCCESS","Length: 124, seqnum: 0, connid: 0" "10:54:08.2812617 AM","System","4","TCP Accept","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 0, mss: 1423, sackopt: 1, tsopt: 0, wsopt: 0, rcvwin: 65458, rcvwinscale: 0, sndwinscale: 0, seqnum: 0, connid: 0" "10:54:08.2851468 AM","System","4","TCP Receive","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 278, seqnum: 0, connid: 0" "10:54:08.4966321 AM","System","4","TCP Send","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 911, startime: 271223, endtime: 271224, seqnum: 0, connid: 0" "10:54:08.4966726 AM","System","4","TCP Receive","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 273, seqnum: 0, connid: 0" "10:54:08.5503615 AM","System","4","TCP Send","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 65536, startime: 271224, endtime: 271224, seqnum: 0, connid: 0" "10:54:08.6124541 AM","System","4","TCP Send","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 65536, startime: 271224, endtime: 271225, seqnum: 0, connid: 0" "10:54:08.6222260 AM","System","4","TCP Send","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 54100, startime: 271224, endtime: 271225, seqnum: 0, connid: 0" "10:54:08.7893092 AM","System","4","TCP Receive","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 216, seqnum: 0, connid: 0" "10:54:08.7939207 AM","System","4","TCP Disconnect","WIN-1I4K7VGUUNC:http -> USER-G47DF9096W:3412","SUCCESS","Length: 0, seqnum: 0, connid: 0"

The same effective result is accomplished in RHEL 5 using a combination of host to host IPsec adapters and firewall rules to allow only IPsec traffic. Creating an IPsec adapter is simple in RHEL 5 using the racoon daemon for key negotiation. It does seem to require an IPsec adapter for each peer but these are simple to create. Here are the contents of an IPsec adapter file named /etc/sysconfig/network-scripts/ifcfg-11 under RHEL 5:

DST=192.168.148.11
TYPE=IPSEC
ONBOOT=yes
IKE_METHOD=PSK


Next you create a corresponding key file /etc/sysconfig/network-scripts/keys-11 containing the key string. It would not be a bad idea to restrict this file to the root account with a chmod 600. Activating the connection is accomplished by turning up the interface with ifup: /sbin/ifup ipsec11. Key negotiation is handled by the racoon daemon which is controlled by /etc/racoon/racoon.conf. RHEL 6 supplants racoon with the more powerful OpenSWAN package which I am currently researching.

IPsec firewall ACLs can be enforced either by a host firewall in the guest OS or the virtual network layer. I plan to do both in the cloud; the beauty of this approach is that effective misconfiguration or tampering with this to allow non-IPsec traffic requires (unlikely) collusion between the parties who don't necessarily trust one another: the cloud consumers, who control the guest OS, and the cloud operators who control virtual networks.

Externally facing web servers cannot require IPsec, of course, but they can use IPSec to talk to their application or database layers. The security of the web application becomes even more critical in this scenario as it becomes the principal attack surface. And IPsec, for the most part, works poorly over NAT or PAT so this is a local network solution.

Two long, boring exhibits follow: a tcpdump of an HTTP GET over IPsec under RHEL 5; and a complete IPsec configuration for Windows Server 2008 R2 using netsh.

Here is a complete HTTP GET from Apache over ESP preceded by the ISAMKP / AH key exchange under RHEL 5. Everything is ciphertext except the ARP exchanges:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:59:12.681622 arp who-has 192.168.148.13 tell 192.168.148.11
...........................
15:59:12.682339 arp reply 192.168.148.13 is-at 00:0c:29:94:0d:d4 (oui Unknown)
..)0zd....).
15:59:12.682625 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 1 I agg
.........3.2bO+G.......................4...........(....... ..........p.................
....s.G.PTg-.RC.X4.\.s..#...{>....b..n1.
...................h...k...wW........bh#........n.Mw.....w.."e........u...G{I.$@.....f[..~.......i.....C8.s.l.
15:59:12.684642 IP 192.168.148.13.isakmp > 192.168.148.11.isakmp: isakmp: phase 2/others ? oakley-quick[E]
.I.........g...
...y... ...z.....0..89
.nN.64O...O ...X ..3 ....nb.CH..a.l...........m..7F..M......!.o.0s...e..n-....5.)JO.#..#Ky........9"....h.7..F.73T..l.<6.-m...1..`
u.... .v..+...j...1.7..JpB>3..!.y...
..h?.....w....r.QIh...v..O.........5.uG....0.j....-...O..?.[}....j....8.U........K...M..\[..Q<..6..!...K.......!....Q..?..........'.W_n8.CH..v.~#...~.>.R..
15:59:12.686471 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 2/others ? inf
.I......@..?.......
7j.............O...(............
15:59:17.682787 arp who-has 192.168.148.11 tell 192.168.148.13
..........).
15:59:17.683417 arp reply 192.168.148.11 is-at 00:0c:29:30:7a:64 (oui Unknown)
....................).
15:59:22.685209 IP 192.168.148.13.isakmp > 192.168.148.11.isakmp: isakmp: phase 2/others ? oakley-quick[E]
.I.........g...
...y... ...z.....0..89
.nN.64O...O ...X ..3 ....nb.CH..a.l...........m..7F..M......!.o.0s...e..n-....5.)JO.#..#Ky........9"....h.7..F.73T..l.<6.-m...1..`
u.... .v..+...j...1.7..JpB>3..!.y...
..h?.....w....r.QIh...v..O.........5.uG....0.j....-...O..?.[}....j....8.U........K...M..\[..Q<..6..!...K.......!....Q..?..........'.W_n8.CH..v.~#...~.>.R..
15:59:22.686039 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 2/others ? inf
.I....n.@..?.......
.d..G.........~)...(............
15:59:22.686695 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 1 I agg
.........3.2bO+G.......................4...........(....... ..........p.................
....s.G.PTg-.RC.X4.\.s..#...{>....b..n1.
...................h...k...wW........bh#........n.Mw.....w.."e........u...G{I.$@.....f[..~.......i.....C8.s.l.
15:59:22.690934 IP 192.168.148.13.isakmp > 192.168.148.11.isakmp: isakmp: phase 1 R agg
.........(...3.2bO+G......Q6........... ...4...........(....... ..........p.................
.....@R.m.l6.FW.a.........t.U....
]..7...Q...1c3..e...9...zSfA..n>..b.."...:Y.U.g..2|P<.8=.]i......w......Z.
......;..Z..
15:59:22.700600 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 1 I agg
.....<...3.2bO+G......Q6...........4....x.9.)$^..V._o.......
15:59:22.702582 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 2/others I inf[E]
.....\H..3.2bO+G......Q6......!....T{..........+54.../.L.0~.$":.2..... .Z..I..[A..cS..].j/.E
15:59:23.708030 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 2/others I oakley-quick[E]
.........3.2bO+G......Q6.. ....s....I...6IH.h.....3|l..;.)).[ =`a.%..;.....3.,F.%.5....*..d...d.....\..~FP..;I.............[......d....D....FA....*.c..o..p1.>.E.j."........93..[....-....>....C......0.K.O%..F.M.H..V...i.&u.. =w..rx.Q.?...Z4.cx.JxT.>$Q.1.eA.. ...I.v....W...Hy.\T.....U!..v.^5.q...w.d.3... K.....7zZ"...)...1.0...*0
..._..^..(.J!.0..T^.K/x...z.d..(k..z.....M.,q+......wm..D$.y~(X.!...ZZS..I-..g?.<.}D.0|q.\...a.....J.....{mK..F.....<7...bF..N. ..i.-....R.. ..`
15:59:23.710836 IP 192.168.148.13.isakmp > 192.168.148.11.isakmp: isakmp: phase 2/others R oakley-quick[E]
\b.F....^]...B.b.....;V.......]K.z...8.#......O.....z.....T7.......W..).........$.....BJQ......<...V..G...".%r....zkb.....B.E...Z...7..@..MI6.v.....g..&...3.v.K.........G. .$.....I..
.=...w|Yc.X.....0*..: .
15:59:23.744505 IP 192.168.148.11.isakmp > 192.168.148.13.isakmp: isakmp: phase 2/others I oakley-quick[E]
.....D...3.2bO+G......Q6.. ....s...B..q.H..?.l:
15:59:23.974881 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x1): ESP(spi=0x0d6534cc,seq=0x1), length 76
e4.......Z.GP..u...~c.... L..K.#...lHQ...ZW..O..r..(=0....V>I...Q,W.....x..
15:59:26.972143 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x2): ESP(spi=0x0d6534cc,seq=0x2), length 76
e4........V>I......B..2p.)..mL..G....U.....W.....L.....gK{..r.GT.F..K.^t..o
15:59:26.972248 IP 192.168.148.13 > 192.168.148.11: AH(spi=0x0da12f0a,seq=0x1): ESP(spi=0x0b23aae7,seq=0x1), length 76
./..2...@3.....
..A.d........ .aN.2$....x...:.a....Z.g...).Q.n..R\..
15:59:26.972996 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x3): ESP(spi=0x0d6534cc,seq=0x3), length 68
e4.....gK{..r.G.s....*..-t.d^.=4....E..x_..Ak......O-....,..s7.....
15:59:26.973705 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x4): ESP(spi=0x0d6534cc,seq=0x4), length 452
e4.........O-.......w..'"!~)}........z|..M..fA.{.Y..\...,....Q/b.Z.4n...>x%....$t=x.[.I...za..m_......B.X.. W...?...1h.~.c.s.;zo.m.*^P*h.M$cW/....H,.....U_.]..}.F.^..L..(.g.......O.T.........3....1T5...;.....Jd.Wk8#u.......:.................f"^...-X.DP.....t...iM......N..?.%KC;LT. .0.....mgl.p.85......`.tM~1.{`.....ER.A....(w..9...,.....l:..9.j..L......._......a$...}..g.....z..(.m.= K...5W..J(.@............?........tI.....[ ...55....b...
..2_50.U.
15:59:26.973787 IP 192.168.148.13 > 192.168.148.11: AH(spi=0x0da12f0a,seq=0x2): ESP(spi=0x0b23aae7,seq=0x2), length 68
./..2...@3N9...
....a............#......$....x...b.E#e...K..U...GQ.f..4.... U.......\u...W....J.ne..
15:59:26.976017 IP 192.168.148.13 > 192.168.148.11: AH(spi=0x0da12f0a,seq=0x3): ESP(spi=0x0b23aae7,seq=0x3), length 1452
./..2...@3H....
^95..ni<...w.]..9.G7.p..f...9q.._.xpn......... ..N..
.....]...-'......l,....2c/....s$.5...{;.....$Z....+jm...@.62..@.Y.i.|...>...
...l.d^..L...%.)i ..(.N......o. .6.i). .T........v...3
.t.P~.Z....G.6..Q.7.}....@.).^x.-.=........vyw......>Z.3.p.G.I....c1....n
qj......#O...2....r.zA.....r...A.X.o..O.4..W...HG#I..K.....k..z..%..G.S...d .VS..`.y..-..-R...P$V.M.....I.....X[.`K+A.s%&[...#K.4D[F.CB..V.=Y.....;..G.'.=....o.&/.26..Oc)..I'.B.0..*.sO...7..w.
5....y..........P..0...q.c..f.....O&..RY&.^
.;.\h... .l..."b....$l!h+.*kQ~F.]kI.\............_..a..t..^ ....c'..{.......#.a...S.#,..'4..........>o.Qm.y.=4.7.r..4..l.
.."F..........g..8..........X .qCD....I.|#.6...'......Vt+.......q.S....'. V......G.......y..,.4............J0...%*j>...sJ.c...........Ey.....,8Q.Z).a.(m....I...].H...........cF`w......Y>.NV...F.`/...!...d...~.F..4.B.M#...?zgE..#+)..$..Ff.s]yBOeFV.G @...9z%...p.......\....yf......(......j.DG...u.......).da.....]t..x...w[....}2...6.G)......=...yd/....&.l..
./...~.........G.y......L[aTa..C......+...d?.e...|g;).F8.. \.H...........B....C....6..U ".f.m...X .].....}7U.....[..R.g0.D..wHR.REV.-..I...h..n.......x/.}\qi.I..^....%z*.UC....h.T..=..H.=S.3../nM..d..U.U....T.V.....Z.g.
15:59:26.976162 IP 192.168.148.13 > 192.168.148.11: AH(spi=0x0da12f0a,seq=0x4): ESP(spi=0x0b23aae7,seq=0x4), length 1452
./..2...@3H....
..L<..gc....'E5.....57.....6^..^..*EX;.......:T..s......d,.....@...h....a.=........%...M.......+....h..G..........|
...8U.0=....8.-&d............9G|.? .%E.Wn... ........v(V.P....(..4ETI.....o..*1.~......Dt.....*B
q.h...Y..D#Y.KO}_O5....ls.....y...I.9....H.. %,.....E...M....q..Uq.R..lh.....>........\!.....u`M....q.T..m..n.
....c...F.:.....%..9.....C....b.....~v..Q.......`........i.?.....p...:.?:..r....4.9j.h.)...p.8.D.1.+
E"k.2r..vy(}.@.NA..._rin.4.1[.M .....N..g...E...ra'...o./3.Q..!..E.bG...l..%.a.
........Z..[S.%..o...Qq...+....<.Z../.$:..m..s.....9?....>.L).D...7.G........~..._...#V.2[d...H...ka.GY...0..+..X....b.$P.+...?^.1.56..........L...f...L"+.n^1=..6.P..6+e..N....W...I...*.t%x.....0...Tmb$..o.G...+_.X..X..f.hq.[j...r*`.Gh....U...A...-. ..s._|....!........-2Q7A.COqj.......B/.r.;....Ap....;A.#.5I..M..$m...}....i.6..........b..6..(M..:y,.@...&.2:Y!Y 4.......C..).. ..H..{RfS....O?>#.a.r.......#5.........w.'O.1...h.,U.G `8.B...:.......SG.....@Q...M...9X..j........Q..P0....3P`..)h?.O...e."pk..../..**.8`.7..rf.h....;...[k1&...i..6..;.k.Z.>
"...+N.0.d.g.P?...M.3.Q...z8..#.$.-.o..AD.J.........c.j.L-.#LU.n~..+.YS..H.....].h.. ?.z. D.@...d.Z7.U..3..m..iZ
.....Yn..Z.@jF$.{...N
7`y'.bV.......F....W..T.....q.Qn..K
15:59:26.977696 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x5): ESP(spi=0x0d6534cc,seq=0x5), length 68
e4.....55....b....a.k~%..D!.7.E..pk.........g.kt."...j....b..V.NT..
15:59:26.977827 IP 192.168.148.13 > 192.168.148.11: AH(spi=0x0da12f0a,seq=0x5): ESP(spi=0x0b23aae7,seq=0x5), length 1452
./..2...@3H....
......[fL...9.J..#..........W..T ..gZ......P...Z.~.a.).B.n}m../...@[.......P..zq...;.A......s.+Jo.~....@]...jU!.....d.O.".|.P.Hh.............}.I..XB...z..W(...b.NX;.V.....E......N.59.]..,cG:........s.1..du....)..).2..4..E....,.oG$...1.&......wY..Q$...5..N.....\....f.U.o9O....~.c..m8\"s.k..3.....H.{...7......9.t..q,fVIf.K..S....:.....j....8.......(:1....a..t3.k..P..B.... B.....^..$.=..r6..r.l.H.".m8Y....J.......!..e.........|-T/..[............K.%-$_.O.?:..V.y_,..@Uv.pe...0.rCx..8.......n.}...h.......(..c.=.J.U.;.-..@.Sg7>L.lu.Q@J.Ne...I..o..-...P+Q.......x..Zc........)Yn..8..$t.:$...I.]o......`.......b.t.*....X.....G..@[%..`.;2.K.
^IS.3..aR-.u.l.! \....D..-.DNYd.$P. .t.O.!...}}.$..+..H..Ub...........I.<.......p.aXO...O).D;.g.....]KW.m.]..J..M...7...^_.G......Z..y...2*..{!.E..
.....mC/>f..s.Q.....V...I...0.......p.............ps...c.R.....1..S.....@Xd..l....;....CD.|G...S.....;.F.I.I.,.~..A ....3#M......" P.Q".s$%....h.....h......m...Y.4....;.rr...!-.i\)B..f.)....JK.V.y...f....Eg..Ce.a.....-#:.3.y...\z....gtW.v...]0"<..Q......K..(..r...R|uSr...o...Ma....$.R./.l80J./..i..@+.............8c.c..Z.-.....[...
15:59:26.977862 IP 192.168.148.13 > 192.168.148.11: AH(spi=0x0da12f0a,seq=0x6): ESP(spi=0x0b23aae7,seq=0x6), length 84
./..2...@3N%...
.....?.zs.R...T\.#........8c.c..o.....aA'.h.7...:p....c.7M...X.T.TPc.
..v.....F .H....A."U5"..OQW.f.
15:59:26.978387 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x6): ESP(spi=0x0d6534cc,seq=0x6), length 68
..3Kw..FRx.k.y..).....!....sthe......
15:59:26.978995 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x7): ESP(spi=0x0d6534cc,seq=0x7), length 68
e4..........!...}Z.............. ..+$T.b.B.J...r.......]M...Of.y5..
15:59:26.979675 IP 192.168.148.11 > 192.168.148.13: AH(spi=0x0df69abf,seq=0x8): ESP(spi=0x0d6534cc,seq=0x8), length 68
e4.....r........c7.w...c_.;Qc~`*g."......j+nG.b....d.}..p...cSk....
15:59:26.979723 IP 192.168.148.13 > 192.168.148.11: AH(spi=0x0da12f0a,seq=0x7): ESP(spi=0x0b23aae7,seq=0x7), length 68
./..2...@3N4...
.....3..)..yh....#.......H....A.4$...[......?EH....
....{N.K7..WA.01.W.........]...K


Here is an sample (IPsec) require security policy for Windows Server 2008 R2:

C:\Users\Administrator>netsh ipsec static show all

Policy Name : New IP Security Policy
Description : NONE
Store : Local Store
Last Modified : 6/22/2011 9:25:01 AM
GUID : {70BA24BE-58AE-4618-BF90-4141146899E8}
Assigned : YES
Polling Interval : 180 minutes
MainMode LifeTime : 480 minutes / 0 Quick Mode sessions
Master PFS : NO
Main Mode Security Method Order
Encryption Integrity DH Group
---------- --------- --------
3DES SHA1 Medium(2)

No. of Rules : 2

Rule Details
------------


Rule ID : 1, GUID = {DB04D4B6-99BC-48AC-B0F5-92B7EF32AC42}
Rule Name : NONE
Description : NONE
Last Modified : 6/22/2011 9:25:00 AM
Activated : YES
Connection Type : ALL
Authentication Methods(1)

Preshared Key : key

FilterList Details
------------------

FilterList Name : New IP Filter List
Description : NONE
Store : Local Store
Last Modified : 6/21/2011 6:18:30 PM
GUID : {64E9596C-1A7F-40E7-9905-AEAFEDCAA717}
No. of Filters : 1
Filter(s)
---------
Description : all IP
Mirrored : YES
Source IP Address :
Source Mask : 0.0.0.0
Source DNS Name :
Destination IP Address :
Destination Mask : 0.0.0.0
Destination DNS Name :
Protocol : ANY
Source Port : ANY
Destination Port : ANY

FilterAction Details
---------------------

FilterAction Name : IPsec required
Description : NONE
Store : Local Store
Action : NEGOTIATE SECURITY
AllowUnsecure(Fallback): NO
Inbound Passthrough : NO
QMPFS : NO
Last Modified : 6/22/2011 9:24:57 AM
GUID : {5FA90EBD-A669-4F54-8EF4-BBAB9ADA3020}
Security Methods
AH ESP Seconds kBytes
-- --- ------- ------
[NONE] [SHA1 , 3DES] 0 0


Rule ID : 2, GUID = {7EC85BC0-A940-4AE8-9593-CCEE5DA7C967}
Rule Name : NONE
Description : NONE
Last Modified : 6/21/2011 5:56:52 PM
Activated : YES
Default response rule is not supported on Windows Vista and later versions of Wi
ndows. This policy is not in effect.
Connection Type : ALL
Authentication Methods(1)

Preshared Key : key

No FilterList exists in Default Response Rule

FilterAction Details
---------------------

FilterAction Name : NONE
Description : NONE
Store : Local Store
AllowUnsecure(Fallback): NO
Inbound Passthrough : NO
QMPFS : NO
Last Modified : 6/21/2011 5:56:52 PM
GUID : {AE7A02AA-A443-440D-9D02-C819DF2FD491}
Security Methods
AH ESP Seconds kBytes
-- --- ------- ------
[NONE] [SHA1 , 3DES] 0 0
[SHA1] [NONE , NONE] 0 0


No. of policies : 1

No comments: