Using IPsec With Windows and iSCSI Volumes

Introduction

The following instructions go over the steps required to enable IPsec on a Windows server record in the VPSA, then configure Windows to use IPsec for iSCSI connections to the VPSA.

First, please ensure that the server record (client) has been added to the VPSA "Servers" section.  You can do this with the Automatic script.  Note that the steps below may disconnect your existing iSCSI sessions while they are put into place.

 

Open Firewall Console

First, open the firewall console in MMC.  If you do not know how to do this, you can add it as a snap-in by doing the following:

  • Open command prompt and type "mmc". An empty console opens.
  • Click File->Add/Remove Snap-In and select the two Snap-Ins:

ipsec1.jpg

 

Configure Firewall Mode

Right click the "Windows Firewall with Advanced Security" on the console and the click "Windows Firewall Properties".  The configuration window opens.

Make sure that firewall state is "On" for all profiles:

ipsec2.jpg

 

Configure IPsec Settings

While still in the Windows Firewall properties, click on the "IPsec Settings" tab.

Ensure the following settings are set, as shown below:

  • Exempt ICMP from IPSec: No
  • IPsec tunnel authorization: None

ipsec3.jpg

 

Change IPsec Defaults

While in the "IPsec Settings" Tab above, under the "IPsec defaults" section, click the "Customize" button.

Ensure the following main options are set, as shown below:

  • Key exchange (Main Mode): Advanced
  • Data protection (Quick Mode): Advanced
  • Authentication method: Advanced (it is not necessary to do "Customize" at this level, the authentication method will be defined later per VPSA)

ipsec4.jpg

 

Key Exchange (Main Mode) Settings

Click the "Customize" button next to "Advanced" in the "Key exchange (Main Mode)" section.

Ensure there is a single method in the "Security methods" section.  The method should have the following settings, as shown below:

  • Integrity: SHA-1
  • Encryption: AES-CBC-128
  • Key exchange algorithm: Diffie-Hellman Group 2

Under the "Key lifetimes" section, ensure the following settings:

  • Minutes: 180
  • Sessions: 0

Under the "Key exchange options" section, ensure "Use Diffie-Hellman for enhanced security" is checked.

ipsec5.jpg

Click "OK" to exit the dialog.

 

Data Protection (Quick Mode) Settings

Click the "Customize" button next to "Advanced" in the "Data protection (Quick Mode)" section.

Ensure the following settings are in place, as shown below:

  • Ensure "Require encryption for all connection security rules that use these settings." is checked.
  • Ensure there are no settings under the "Data integrity algorithms" section on the left.

Ensure there is one setting under the "Data integrity and encryption" section.  It should contain the following settings:

  • Protocol: ESP (recommended)
  • Encryption algorithm: AES-CBC-128
  • Integrity algorithm: SHA-1
  • Minutes: 60
  • KB: 10,000,000

ipsec6.jpg

Click OK three times to go all the way back to the Windows Firewall console.

 

Create a Firewall Rule to Enable IPsec

In the main Windows Firewall console, right click on "Connection Security Rules" and click "New Rule..." as shown below:

ipsec7.jpg

In the "Rule Type" step, select "Custom" as shown below and click "Next":

ipsec8.jpg

In the "Endpoints" step, define the Windows instance's IP that can route to the VPSA as "Endpoint 1", and the VPSA's IP address as "Endpoint 2" and click "Next", as shown below:

ipsec9.jpg

In the "Requirements" step, select "Require authentication for inbound and outbound connections" and click "Next", as shown below:

ipsec10.jpg

In the "Authentication Method" section, click "Advanced" then click the "Customize" button as shown below:

ipsec11.jpg

Under the "First authentication methods" section, click the "Add" button.  Select "Preshared key" and enter the VPSA's IPsec key, as shown below.  The VPSA's IPsec key can be found in the VPSA GUI in the "Settings" section under the "Security" tab.

ipsec12.jpg

Press "OK" twice, then click "Next"

In the "Protocol and Ports" section, set the following settings and click "Next", as shown below:

  • Protocol type: TCP
  • Endpoint 1 port: All Ports
  • Endpoint 2 port: Specific Ports -> 3260

ipsec13.jpg

In the "Profile" section, apply the rule to "Domain", "Private", and "Public" then click "Next" as shown below:

ipsec14.jpg

In the "Name" section, specify a text name for this connection.  This is just a text label to assist you in identifying the rule, then click "Finish", as shown below:

ipsec15.jpg

 

Confirm Rule Is Enabled in the Windows Firewall Console

You should now have a rule setup that will encrypt only traffic destined from your Windows client to the specified VPSA IP address only on port 3260 (iSCSI) using IPsec.  Ensure the rule is enabled, as shown below:

ipsec16.jpg

 

(Optional) Check IPsec Security Associations

If you like, you can check the Windows client's IPsec security associations as seen below:

ipsec17.jpg

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.