Re: Basic Practical IPSec Documentation?

[Chris Green <cmgreen () UAB EDU>]

Mike,

Check out http://technet.microsoft.com/en-us/network/bb531150.aspx, especially the introductory overviews or is this 
the documentation you are lamenting ;-)

Somewhere, there's a good presentation on "how MS IT uses IPSEC".    One of the take homes was "we require IPSec for 
everyone in the domains but except IP exceptions exceptions for the Mac Business Unit".   The SANS Securing windows 
course has a lot of that material in it  too.  The other take home is it's not too hard if you can push out IPSEC certs 
to everyone using MS CA.  Otherwise it's hard.   

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike 
Lococo
Sent: Wednesday, October 28, 2009 4:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Basic Practical IPSec Documentation?

Hi Folks,

Is anyone aware of a good practical tutorial on implementing IPSec on 
windows in the trivially simple case?  In particular I'm looking for 
something that covers:

   * Short introduction to IPSec concepts, not more than a page.
   * Short introduction to IPSec on windows concepts, again, less than a
     page.  Here I'm looking for a high-level overview of a policy vs a
     filter vs an action, and any other absolutely critical windows
     specific concepts that would prevent you from implementing even
     if you more or less understand IPSec.
   * A couple of pages of mid-level tutorial on actually setting up a
     simple connection.  In particular, I think the "right" connection
     for such a tutorial is a host-to-host filter for any protocol/port
     between two IP's using transport mode that requires integrity and
     encryption and uses IKE+PSK for authentication.  This configuration
     allows a relative beginner to use IPSec to protect almost any kind
     of communication between two hosts, and doesn't require delving
     into certificates which more than double implementation complexity.

I'm often recommending that folks use IPSec to protect some network 
communication that fails to implement (or properly implement) 
authentication, encryption, or integrity controls, and after getting 
enough complaints from admins that they couldn't figure out how to 
implement I actually went poking around for instructions on how to do 
this in windows.  I was astounded at the excessive length and poor 
quality of documentation for what is not *that* complex a task.  Has 
anyone found the diamond in the rough, or am I going to have to go digging?

Thanks,
Mike Lococo