From bfff2e829c821b61fbf60fe0e7dc632233b95904 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Tue, 14 Nov 2023 10:56:19 -0500 Subject: [PATCH] updates --- ...blishing.redirection.windows-security.json | 5 + .../windows-firewall/images/corpnet.gif | Bin 7184 -> 0 bytes ...to-end-ipsec-connections-by-using-ikev2.md | 137 ------------------ .../network-security/windows-firewall/toc.yml | 2 - 4 files changed, 5 insertions(+), 139 deletions(-) delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif delete mode 100644 windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index fb0fdfdf27..2d0a38c37e 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -8004,6 +8004,11 @@ "source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md", "redirect_url": "/windows/security/operating-system-security/network-security/configure-with-command-line", "redirect_document_id": false + }, + { + "source_path": "windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md", + "redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831807(v=ws.11)", + "redirect_document_id": false } ] } \ No newline at end of file diff --git a/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif b/windows/security/operating-system-security/network-security/windows-firewall/images/corpnet.gif deleted file mode 100644 index f76182ee25c7510ca9929611898fac5a56a9c194..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7184 zcmWmH`6JVhcpAF-I!NzMt>^@O=F6w6HSQ(e>U2R)AkT0FTFinCY~TlY7!u+xs#zGBteU)lfi$ z|4eJk_(;{%E9Umj)<}P;lYl^NO@3_NZ3zjX4-2#X-MLR%Qg;9RI3x+Ru7Bh(yBl z^t)H%_0w-!iwe^^+VaU{a&m&-(&Cuy#i+9ZE-^7NJ3rS-i*8m_RBUd1URi$A+|u0K z$!u(Gxa{aS|M_Fze?4~|mdw8Epk~$r0I>FBo=7D2_V#*3q%CrWNF>s|nkrpWoq~J0 zeq}vZlk=Jyk`?C<~k{B`O3*Xfk9WhK~B0=Blha>5YwzckY#O*B8ysnzG04 zH-&{2RL1V^?sh#d+}rz;5EmSu5bxn;l%JnlJ6xTR7dQQJDme05ZuX_B?Ch^AQ#Dn$ zLldc&FJBG|Ip=%HcX4s?*RNk=LwEao9}m2mJV!lS-+q65YD^o6^ziWb`t|G6-uB1~ z7ykU-T3lXWb+r%m7OsAq{kr<4_@M9Ya{hek@b12uAvuOn=21nT9=oX?Yz%F>3CAZ2>)+v?AI@DadEMu zm;K`hF%_lPSHFLtWkg3tM*iGhy>;`NvF;%|Kf6y0Bk$k8*U(X)oSvX~*;!gy_{2J$ zu|0V^D(dgwUn3(US(SIYUsiKB*XtkG7w26$qN{~Qz{>0M`?||y1H7~cz5~J`0D!it{zqih0@X4H8VXiHaa>qF_fB` z5)*Zv`M4-1EwAEEMs5W?$=Za@$heQkXSbz{k2c#3etvptz$4Dr zwbFKWaxy77X?URSV$^ktjm?ks)kV(as}JwJLnz@fVR<>RWo2c~uFh9tE?tceVUIt( zb-ynr>z4a%yXpG6%-rDP$F(J7#Zn5Ac|4x{A1DX_c!1{r`T_pm1c2lLJU$sqCZjtZ zDXi`>#H{R1#wl8tTQ*hor%Py`IeNU|UQ?V~09(hLUOkYf>iEE8xOtHXD5U306fgBK zHLa5V>ANUcjaHE2QL-b{V!K%JfIaEpSk9odc$Ux|>$V5Zspbf&zdsLK6~?YNvEng-WCh2mv&sx8}u5*0o_209$@9&trV2||X>CBjR-@$N<+mV5C zOdv}WL~Aj=%ip3r)hWeX_cFBj3uOQ{GoO=N{O}eQRh&&z~|>s8phB$%7bq z37cPQT#OXQw(a;LK!XbBKKirAE z{Z(-#26}-tPWpvk71NKUwtC+2j0-PJ6t_f>ynWT3l}k+JN~ZZ8Bz@f-!{?M$%1)t< zss@3_1B)t~XJ%?Eh?Dp{QvXnXLS^D^1m^T%WaLscOps>*2`0Q1DInzqnf1DcIVgXl zl)?+0vhGHIo4K+t2%RTg7LE68*$R7-cf(Pt_N}*4u<|1<t5_fYH<}v&Inzh?rh_TK>{sx-=-~L0QSw8{9lEM&) zL-;%8%!M8a3qK5hR{))b@+8nnvO-AI-F^Bp>yZFka<64xtcO6MI(oC#<&KBj%u2?wC%$83LfSv73%;Va%S zkOH@U{ktJ>6*oDcF4;GixS0O_eFRv9Z4AO6D?g$;Z@Ov#(@s*n3#?R*zK_u1!wDuz z+_#9f=C9z8tOd$%c_DtZ^}dfl`6iHK6?|6Dq)X6LoBKr+@WByCJ|Zn@bM5#V+%WiT zFGjG!R1kKsyGYgq7Tic4#Lvf11bq@p5X_Qfw$h_TM0EOpHb3cHvtmT=IJ$mP<|Y7i zh_rYLYb~z!>9784(NGcvJo&aG^aB|3Rp>io=`fR? z_3o8v2Ze(;mDpGvGxcY5;I9ru$J7$NaEFK_H^f7S>Ws8U>Vlz26U~<_^Z#OVUU)^@Sz@c_bj6?0OOw3W^W)^Ok=eI%Jwg2REk6{;Edy>76-pyugXDt4ew?t}B$A zvsW$ujtMtS+YFBRuq1={YUTXwe(>=+Fu{v2MWT2!$B^&|`hbPLJd>-NncgdLlyYkO zw(%{sawQN2NF+#X6+a8~IChj0C+0yySNw+VMIeXIR4pF2cx@kfsHmo^!_VI8L?t ziSO*P{0%Z|kEUJaG9T*-OF6aeDDgQ+4aFunKJ=c0TiTR8@ciYFah_t?2v);V zGjhaMpkfc=Gi`F4x!}I`+GduTrY*th%}`I`*+`|yhP2lO)gBnv@<*4?SUF}0Eja6$ ztRQXKZyJd_zVNntRt`QI?hT5feeLxAM*%5H^cS1MPd;>iuM0vuwT3%)j9d`|=mPA3I3-d86MOb(A|LGuzzI!@Sn>WaF1I-QRr z!PKuAi{3XTNWh2vO=NddGA@REl2X)lPh{fVDn-7wa;VC=rbF59&~d(%`I{cmVUJNA8 z^Sb09fi2QXh}x+W?-XQ>*ZcKMo!3@6R|r5Xz^WKk}3$=mO1KBUm~OG)-oA zEEfA@tMO@9wmr(K3iOyW!ygXVsQnw2v+-b-uw8^)bi&1>5%j29BGin(cRttWfsBXZ@7?~x+|AO|yc+MWh=xmI>gm)_ z1z0ZcxW;pfmZtMg-le(^BLbx0G<(z4WFi1im0oVL{Xl?9F|99J0^#LBdaU`Sc<>pn zS&yCp1k+fP&YyzQd72WZ#U+Q~TA+COD@P3tV@E}B+NEzBz9VdG-=->*yN1eNwtTGz z`9NusjvTm1W*Pz0J4c!a=e`EjDfv#xi4;C11(oaw1nS zbWAScxAd$JdG}#k<|WMl1K$7uglP4?7KM(MPC9?H=LZ{B_T^8b;rRrG=~!ejN1CUG z)VkH?OoHkXKSMpbisb3zH*N|W{+TF@Z`Kven*Q?QVnju*cQqcM=jm;{JF%q#b|gVn z5_G-~N|=xUBbL4h5L574&z)=5)B+Z!->&VBQC*0E;=w*ty&P>_;S`9Th@l-TI#>%T zOa!6GkmrhVxsH%y_>(nDx^|4%=U*a&7hg`(&X zo(cN3qrp328$Npc?x47|u(C{q(7r2wGY4%%LW3d^!(m0)@M4?+&}YiW>#(X~CtaJQ2@yfw zR8S5bMq`|EDz@5gO?I1>004wJ3pB_AZ2~YbE1tR#D}+Zq0nl|ge&YxeukBObZ%pFp z$lMh%{uGcf8MH$~Z81|etJlnCUI zAjX#HtcV!0pZ1F(8kCBD$%Te=z{)H^Q}G6Df=wzb9s{b*%-);MZUYc6D<$@y zfDduNcJve-e1guBg?@E9l$w=3Nt35w4-rv86fBKuqFkKxiC}2xls!ShDCp)A+;Wv8 zb5%=n)zxynxM(F7iYS?PL@lqEh_&LtGdQbCI{$SMbAV~^Bn1K#r!yO`$uZdV( zhvuXirE1{8AGy#e0J#{EuoXbUmVo7$Adi^>uRjG8$wD99LciexIS#U(i}=FPyfRZ5 zG>pt*A};6_g}N0{zJk<9fDjJ)gMvt9LBC6eEi#2)_!<~V>Ooqmj* zSej6P4J`A^DQ;q;pY!;Tdim+TM@xDGMMaJIvl!Sxrhowv+rUO_yH)H2Ry0uZzVeAY z?!f+`ASP6@S|Y8x-`rVI1%)w>J^#aJyKQPuuZGZ8@{D+XF+-ABc8n7H^mpi?OWD+544DWv$77Xfm2PB# z3?kN_4YDk)wl1v>B_j4}?nb(qs!B0*=#XJcM*MbFl;Azox2#%vem23@?P-N`4m5;_ zE+>KqDJVZOmSY5oVnEO&zR+{Eq1K2I3e=ig?JroPQd;FsOK8ro`KT+#zXCtl`FWvamU8DJ_I{R+?D#%^$<34{a|X=)UHAPP`&z*RVeGmT%FM@(;J!@K@4NUd-( z<5v0xT9^qR*+xOwNFf_LD8=q~sFZ9EqL%@!vxF-#z#$aq+4Qz@0AzC4hU&I9{VL4E-0E`T}?;%8HZ zqX5|Cu+T6Q;COoOe>x+gpJ+jAi zs$=zVa^eg~vpX0^f>21JnSVRrf)dSi;3E;9!$!8^AU@UTe?V(xx0WyQ=9(oE#X)79xWc6~aciV+8aQ1QFN8$i_@Tkf)0WuWln^xh{CxaVGbMLGc|dZrA1>HmEhM|yuHp0IA&=c#+oaB?*tc|FL|++a{=q%PSlWFDC(gkK zn&aU<3O!ADOAn!w$AxQo#*%s)8fVPK#hQoCZC?4QMR*?fBF1AFA|wQl!=o1cV4%TT zd$3Y-FX2eO5as-gJuGwNZ9tHSY@P6ezc3EN`niV(dAb@Q?2%tYeW8nP7V%NihF}) z!kP!6-tOKxqJ5{;+`69uMAaV+;#Y&m^>WlZe-31!rP~T7Xv@M6eS{u{1kFeJuXQUe zjo~VH6gzgXMY-cixvnb9m$DqrTkecM`5>4%HFT?y9O5apAxm6yrSocFR_UBAaBVkl}qK)sbPw}9A%%|(rfqc%eJ#IKRic` zugNAI{2=cdnkn6CMEwiDw!iGTo8tV{@it$2lXgkde{j&OUd!bIXLW&3%AE8WWaW&}Tluh%!K+E5 zp)R=Ae-Z6>25o|+aVK6u?V$Dm1|L{K!u+Ia5g97O>H5H$t=X4)Hwx_^-mWSsWB<|C}?>pwtQ zu!vpw%`Vmbkg2Og936WzmvMzB}*99FKJ!jPFr7b2ev9YG=kkMMlkOk_G2j-UcI z0Lbg%^N4-n;(dTcEUhhY;&z;C2?dcU-7(U*H-ONumHZ>8nLVJ{A$81Yp^R5L_-im(G0mSg6s9?;8pG zo&_x;feG9nMN9~SfjSCcl^AdY4R(zQMSfV5+*q5(|9B5TBPoC&9sX+{;!1>sFkmM+ z7=0$Bhygba;tIxcXQ?0$8r+q!LEu2J>nJz{Im3ad@*t4_R+hKEf!+AlP63sWAP1Oy zg)~?Z1qj5$67jGOE;4`vxk+CiWo;ad;r9P;1}V@ID)s;sTE-O^rNa}M0GftQq+tmZ zAe!?PLEN%EFJgD#=SeCOPx@)hcWA({8)<1px-^Ccr=Pn=-z`+kqKKBW*kA-+7JR1`HNUKs0g*N<@)w~|}|8ErRUs8|)$M0c4d5YD|>v9Go&xTLw0 zJ}+Qk=p;HFeo@Irv7!1u56-7oSrGXApT4cNSSfEH>EMO;Q$O504kXv$?ccp6*jy9) z2Q+P3+DPV!nR4^K%(Y8;a5>!<>x$%+DuKw<* zexZ^}Vl6<|7%c=1Z$VJJ%(16o>*KbNv>9ag>phY$p9K9tO&L<~bdPnTQp87~$w$fV zuEy(V&F{%&zix0BGG75yd_M@{5cj-!Gm9f26sY;zjq`2fxXm{6^z0-L!6&C+bWeW+ zb(G6Wi_&LQc=|J|a0jANI0#LD))ygVatZ}xKw~L%T{yJyDHpljVVW6fEsrx2bH_|P zkz`C?C{n`68>Jx?N#24doi^^#VHj3iIz*29DH$1+f`T3MB2Vgz-^+h>M55BtTimMM z+b0)E-HuJLX^*U>?Q3>ll!Pd#62L;x(&}NbOL@o{y#gu!6tcf6I8CzzP%u64B7;Sf z{is8c7AlM75i^w@k>l^0Ej3(sur_=Knt%k14NPdTN!mE%^*8Ye{$c^`|WGfM$X;T==yM3SG8-K|NG{kc5^FO<(!RraRO99&M!Dw&pV7NlsI z [!NOTE] -> This topic includes sample Windows PowerShell cmdlets. For more info, see [How to Run a Windows PowerShell Cmdlet](/previous-versions//bb648607(v=vs.85)). - -## Prerequisites - -These procedures assume that you already have a public key infrastructure (PKI) in place for device authentication. - -## Devices joined to a domain - -The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1. - -![the contoso corporate network.](images/corpnet.gif) - -The script does the following: - -- Creates a security group called **IPsec client and servers** and adds CLIENT1 and SERVER1 as members. -- Creates a Group Policy Object (GPO) called **IPsecRequireInRequestOut** and links it to the corp.contoso.com domain. -- Sets the permissions to the GPO so that they apply only to the computers in **IPsec client and servers** and not to **Authenticated Users**. -- Indicates the certificate to use for authentication. - > [!IMPORTANT] - > The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. -- Creates the IKEv2 connection security rule called **My IKEv2 Rule**. - -Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. - -```powershell -# Create a Security Group for the computers that will get the policy -$pathname = (Get-ADDomain).distinguishedname -New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` --GroupCategory security -GroupScope Global -path $pathname - -# Add test computers to the Security Group -$computer = Get-ADComputer -LDAPFilter "(name=client1)" -Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer -$computer = Get-ADComputer -LDAPFilter "(name=server1)" -Add-ADGroupMember -Identity "IPsec client and servers" -Members $computer - -# Create and link the GPO to the domain -$gpo = New-gpo IPsecRequireInRequestOut -$gpo | new-gplink -target "dc=corp,dc=contoso,dc=com" -LinkEnabled Yes - -# Set permissions to security group for the GPO -$gpo | Set-GPPermissions -TargetName "IPsec client and servers" -TargetType Group -PermissionLevel GpoApply -Replace -$gpo | Set-GPPermissions -TargetName "Authenticated Users" -TargetType Group -PermissionLevel None -Replace - -#Set up the certificate for authentication -$gponame = "corp.contoso.com\IPsecRequireInRequestOut" -$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" -$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop -PolicyStore GPO:$gponame - -#Create the IKEv2 Connection Security rule -New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` --InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -PolicyStore GPO:$gponame -``` - -## Devices not joined to a domain - -Use a Windows PowerShell script similar to the following to create a local IPsec policy on the devices that you want to include in the secure connection. - -> [!IMPORTANT] -> The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors. - -Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. - -```powershell -#Set up the certificate -$certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" -$myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop - -#Create the IKEv2 Connection Security rule -New-NetIPsecRule -DisplayName "My IKEv2 Rule" -RemoteAddress any -Phase1AuthSet $myauth.InstanceID ` --InboundSecurity Require -OutboundSecurity Request -KeyModule IKEv2 -``` - -Make sure that you install the required certificates on the participating computers. - -> [!NOTE] -> - For local devices, you can import the certificates manually if you have administrator access to the computer. For more info, see [Import or export certificates and private keys](https://windows.microsoft.com/windows-vista/Import-or-export-certificates-and-private-keys). -> - You need a root certificate and a computer certificate on all devices that participate in the secure connection. Save the computer certificate in the **Personal/Certificates** folder. -> - For remote devices, you can create a secure website to facilitate access to the script and certificates. - -## Troubleshooting - -Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: - -Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled: - -1. Open the Windows Defender Firewall with Advanced Security console. -1. In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule. -1. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile. - -Use Windows PowerShell cmdlets to display the security associations: - -1. Open a Windows PowerShell command prompt. -1. Type **get-NetIPsecQuickModeSA** to display the Quick Mode security associations. -1. Type **get-NetIPsecMainModeSA** to display the Main Mode security associations. - -**Use netsh to capture IPsec events.** - -1. Open an elevated command prompt. -1. At the command prompt, type **netsh wfp capture start**. -1. Reproduce the error event so that it can be captured. -1. At the command prompt, type **netsh wfp capture stop**. - A wfpdiag.cab file is created in the current folder. -1. Open the cab file, and then extract the wfpdiag.xml file. -1. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last "errorFrequencyTable" at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: - -```xml - - ERROR_IPSEC_IKE_NO_CERT - 32 - -``` - -In this example, there are 32 instances of the **ERROR_IPSEC_IKE_NO_CERT** error. So now you can search for **ERROR_IPSEC_IKE_NO_CERT** to get more details regarding this error. - -You might not find the exact answer for the issue, but you can find good hints. For example, you might find that there seems to be an issue with the certificates, so you can look at your certificates and the related cmdlets for possible issues. diff --git a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml index a7c6498905..4add3bf791 100644 --- a/windows/security/operating-system-security/network-security/windows-firewall/toc.yml +++ b/windows/security/operating-system-security/network-security/windows-firewall/toc.yml @@ -15,8 +15,6 @@ items: href: configure-the-windows-firewall-log.md - name: Hyper-V firewall href: hyper-v-firewall.md - - name: Secure connections with IPsec - href: securing-end-to-end-ipsec-connections-by-using-ikev2.md - name: Isolate Microsoft Store apps on your network href: isolating-apps-on-your-network.md - name: Troubleshoot