The following instructions go over the steps required to enable IPsec on a Windows server record in the VPSA, then configure Windows to use IPsec for iSCSI connections to the VPSA.
First, please ensure that the server record (client) has been added to the VPSA "Servers" section. You can do this with the Automatic script. Note that the steps below may disconnect your existing iSCSI sessions while they are put into place.
Open Firewall Console
First, open the firewall console in MMC. If you do not know how to do this, you can add it as a snap-in by doing the following:
- Open command prompt and type "mmc". An empty console opens.
- Click File->Add/Remove Snap-In and select the Windows Firewall with Advanced Security Snap-In:
Configure Firewall Mode
Right click the "Windows Firewall with Advanced Security" on the console and the click "Windows Firewall Properties". The configuration window opens.
Make sure that firewall state is "On" for all profiles:
Configure IPsec Settings
While still in the Windows Firewall properties, click on the "IPsec Settings" tab.
Ensure the following settings are set, as shown below:
- Exempt ICMP from IPSec: No
- IPsec tunnel authorization: None
Change IPsec Defaults
While in the "IPsec Settings" Tab above, under the "IPsec defaults" section, click the "Customize" button.
Ensure the following main options are set, as shown below:
- Key exchange (Main Mode): Advanced
- Data protection (Quick Mode): Advanced
- Authentication method: Advanced (it is not necessary to do "Customize" at this level, the authentication method will be defined later per VPSA)
Key Exchange (Main Mode) Settings
Click the "Customize" button next to "Advanced" in the "Key exchange (Main Mode)" section.
Ensure there is a single method in the "Security methods" section. The method should have the following settings, as shown below:
- Integrity: SHA-1
- Encryption: AES-CBC-128
- Key exchange algorithm: Diffie-Hellman Group 2
Under the "Key lifetimes" section, ensure the following settings:
- Minutes: 180
- Sessions: 0
Under the "Key exchange options" section, ensure "Use Diffie-Hellman for enhanced security" is checked.
Click "OK" to exit the dialog.
Data Protection (Quick Mode) Settings
Click the "Customize" button next to "Advanced" in the "Data protection (Quick Mode)" section.
Ensure the following settings are in place, as shown below:
- Ensure "Require encryption for all connection security rules that use these settings." is checked.
- Ensure there are no settings under the "Data integrity algorithms" section on the left.
Ensure there is one setting under the "Data integrity and encryption" section. It should contain the following settings:
- Protocol: ESP (recommended)
- Encryption algorithm: AES-CBC-128
- Integrity algorithm: SHA-1
- Minutes: 60
- KB: 10,000,000
Click OK three times to go all the way back to the Windows Firewall console.
Create a Firewall Rule to Enable IPsec
In the main Windows Firewall console, right click on "Connection Security Rules" and click "New Rule..." as shown below:
In the "Rule Type" step, select "Custom" as shown below and click "Next":
In the "Endpoints" step, define the Windows instance's IP that can route to the VPSA as "Endpoint 1", and the VPSA's IP address as "Endpoint 2" and click "Next", as shown below:
In the "Requirements" step, select "Require authentication for inbound and outbound connections" and click "Next", as shown below:
In the "Authentication Method" section, click "Advanced" then click the "Customize" button as shown below:
Under the "First authentication methods" section, click the "Add" button. Select "Preshared key" and enter the VPSA's IPsec key, as shown below. The VPSA's IPsec key can be found in the VPSA GUI in the "Settings" section under the "Security" tab.
Press "OK" twice, then click "Next"
In the "Protocol and Ports" section, set the following settings and click "Next", as shown below:
- Protocol type: TCP
- Endpoint 1 port: All Ports
- Endpoint 2 port: Specific Ports -> 3260
In the "Profile" section, apply the rule to "Domain", "Private", and "Public" then click "Next" as shown below:
In the "Name" section, specify a text name for this connection. This is just a text label to assist you in identifying the rule, then click "Finish", as shown below:
Confirm Rule Is Enabled in the Windows Firewall Console
You should now have a rule setup that will encrypt only traffic destined from your Windows client to the specified VPSA IP address only on port 3260 (iSCSI) using IPsec. Ensure the rule is enabled, as shown below:
(Optional) Check IPsec Security Associations
If you like, you can check the Windows client's IPsec security associations as seen below: