Udostępnij za pośrednictwem


Step 1: Reconfigure your Lab Computers to Support the IPsec Client-to-Gateway Scenario

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

Important

The procedures in this topic use features that are new to Windows 7 and Windows Server 2008 R2. If you are running Windows Vista on CLIENT1, or Windows Server 2008 on MBRSVR1 then you cannot complete this scenario.

For the previous scenarios, all three of your computers were on a single subnet, with IP addresses of 192.168.0.xyz. In the following procedure, you move CLIENT1 to a different network that represents the public Internet. You also configure a second network adapter on MBRSVR1 to connect to the same public network. This enables MBRSVR1 to act as an IPsec gateway, providing access from CLIENT1 to the private network on which DC1 resides. You also remove the GPOs that were developed for the previous scenarios so that you can work locally on CLIENT1 and MBRSVR1.

To remove the GPOs for the previous scenarios

  1. On MBRSVR1, in Group Policy Management, under Group Policy Objects, right-click Firewall Settings for Windows Clients, and then click Delete.

  2. On the confirmation dialog box, click OK.

  3. Repeat steps 1 and 2 for the Firewall Settings for Windows Servers and the Domain Isolation GPOs. Do not delete the Default Domain Policy or Default Domain Controllers Policy.

  4. On both MBRSVR1 and CLIENT1, run the command gpupdate /force. This removes the GPOs from those computers and removes all of the restrictions caused by them.

To reconfigure CLIENT1

  1. Disconnect the network cable connecting CLIENT1 to the private network that connects MBRSVR1 and DC1, and then connect it to a switch for a separate network. If you are using virtual machines (VMs) for this guide then create a separate virtual network and connect the network adapter on CLIENT1 to it.

  2. On CLIENT1, click Start, click Control Panel, and then under Network and Internet click View Network status and tasks.

    Network and Sharing Center appears.

  3. In the navigation pane, click Change adapter settings.

  4. In the Network Connections window, right-click the network adapter, and then click Properties.

  5. On the Properties dialog box of the network adapter, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  6. Change the IP address for the adapter to 131.107.0.101, change the Subnet mask to 255.255.255.0, and then change the Default Gateway to 131.107.0.100. Leave the DNS Server fields unchanged, and then click OK two times to save your settings.

Now configure MBRSVR1.

To reconfigure MBRSVR1

  1. If you have not yet done so, shut down Windows, and then install a second network adapter in MBRSVR1. If you are using VMs for this guide then shut down Windows and use your VM administration console to configure a second network adapter for MBRSVR1.

  2. Connect the network cable from the new network adapter to the same network as CLIENT1. If you are using VMs for this guide then connect the adapter to the same virtual network as CLIENT1.

  3. Restart MBRSVR1, and then log on as contoso\admin1.

  4. On MBRSVR1, click Start, click Control Panel, and then under Network and Internet click View Network status and tasks.

    Network and Sharing Center appears.

  5. In the navigation pane, click Change adapter settings.

  6. In the Network Connections window, right-click the new network adapter, and then click Properties.

  7. On the Properties dialog box of the network adapter, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  8. Select Use the following IP address.

  9. Change the IP address for the adapter to 131.107.0.100, and a Subnet mask of 255.255.255.0.

  10. Click OK to save your settings.

The only change you must make on DC1 is to set the default gateway to point to MBRSVR1.

To reconfigure DC1

  1. On DC1, click Start, click Control Panel, and then under Network and Internet, click View Network status and tasks.

    Network and Sharing Center appears.

  2. In the navigation pane, click Change adapter settings.

  3. In the Network Connections window, right-click the network adapter, and then click Properties.

  4. On the Properties dialog box of the network adapter, select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

  5. Change the Default Gateway to 192.168.0.100. Leave the all of the other fields unchanged, and then click OK and Close to save your settings.

The next step enables IP packet forwarding on MBRSVR1 so that packets arriving at the end of the tunnel are forwarded on to the private network and vice versa.

To enable packet forwarding on MBRSVR1

  1. On MBRSVR1, at Administrator: command prompt, run the following two commands:

    netsh interface ipv4 set interface “local area connection” forwarding = enabled
    netsh interface ipv4 set interface “local area connection 2” forwarding = enabled
    

By default, the ICMP protocol that is used by ping is blocked by the firewall so the next step is to enable ICMP on CLIENT1 and MBRSVR1 so that we can verify connectivity. ICMP is already enabled on DC1 because of the Active Directory rules that are automatically enabled when the role service is installed.

To enable ICMP traffic on MBRSVR1 and CLIENT1

  1. On MBRSVR1, start Windows Firewall with Advanced Security.

  2. Click Inbound Rules, right-click the rule File and Printer Sharing (Echo Request – ICMPv4-In), and then click Enable Rule.

  3. Repeat steps 1 and 2 on CLIENT1 to enable the same rule on that computer. On CLIENT1, there are two versions of the rule – one for the Domain profile, and one for the Public and Private profiles. Enable both rules.

  4. Now you can confirm connectivity on your new network. On CLIENT1, at a command prompt, run the command ping 192.168.0.1. Confirm that you receive replies from MBRSVR1.

Note

You have to use the IP address, because CLIENT1 currently cannot communicate with the DNS server on the private network.

  1. On DC1, at a command prompt, run the command ping 131.107.0.101, and confirm that you receive a reply from CLIENT1.

Tip

You may need to restart CLIENT1 for this to work.

Next topic: Step 2: Create the Connection Security Rules for the Remote Client and IPsec Gateway