In Group Policy, under IP Security Policies on Active Directory, I have defined a policy called "Contoso IPSec Policy". In it, I have 2 Security Rules, one very strict for Telnet, and another just requesting encryption for all traffic. Now, I obviously don't understand this properly (see screen-shot below), because with both Security Rules enabled, a Telnet session gets established with the less strict policy ("All IP Traffic"). What I want is to have one set of rules for Telnet traffic, and another for all other traffic. If I disable the "All IP Traffic" rule, leaving only the "Encrypt Telnet Filter" rule in place, the correct Quick mode associations are made when I initiate a Telnet session. How can I achieve my goal? Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

Hi Bigteddy, Thanks for posting here. May I know the address we set for source and destination entries in both of these filer lists ? Explication in the article below might help: “The IPSec driver automatically orders the rules based on the most specific to the least specific filter list. For example, the IPSec driver would apply a rule containing a filter list that specified individual IP addresses and TCP ports before a rule containing a filter list that specified all addresses on a subnet.” IPSec Policy Rules http://technet.microsoft.com/en-us/library/cc786197(WS.10).aspx Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Bigteddy, Thanks for posting here. May I know the address we set for source and destination entries in both of these filer lists ? Explication in the article below might help: “The IPSec driver automatically orders the rules based on the most specific to the least specific filter list. For example, the IPSec driver would apply a rule containing a filter list that specified individual IP addresses and TCP ports before a rule containing a filter list that specified all addresses on a subnet.” IPSec Policy Rules http://technet.microsoft.com/en-us/library/cc786197(WS.10).aspx Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Bigteddy, Thanks for posting here. May I know the address we set for source and destination entries in both of these filer lists ? Explication in the article below might help: “The IPSec driver automatically orders the rules based on the most specific to the least specific filter list. For example, the IPSec driver would apply a rule containing a filter list that specified individual IP addresses and TCP ports before a rule containing a filter list that specified all addresses on a subnet.” IPSec Policy Rules http://technet.microsoft.com/en-us/library/cc786197(WS.10).aspx Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Tiger Li, The Telnet rule is very specific: To: This computer, From: 10.0.0.31, Protocol TCP, Port 23. (mirrored) The "All IP Traffic" rule is far more general (from any, to any, any, any, request encryption). This is why I expected an additional Quick-Mode association when making a Telnet connection, but this was not so. The QM association from general communications (according to the second rule) was used for Telnet communications, it seems.Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

Hi Tiger Li, The Telnet rule is very specific: To: This computer, From: 10.0.0.31, Protocol TCP, Port 23. (mirrored) The "All IP Traffic" rule is far more general (from any, to any, any, any, request encryption). This is why I expected an additional Quick-Mode association when making a Telnet connection, but this was not so. The QM association from general communications (according to the second rule) was used for Telnet communications, it seems.Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

Hi Tiger Li, The Telnet rule is very specific: To: This computer, From: 10.0.0.31, Protocol TCP, Port 23. (mirrored) The "All IP Traffic" rule is far more general (from any, to any, any, any, request encryption). This is why I expected an additional Quick-Mode association when making a Telnet connection, but this was not so. The QM association from general communications (according to the second rule) was used for Telnet communications, it seems.Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

Hi Bigteddy, Thanks for update. Could you show us the results of this policy and these two rules by running the command “netsh ipsec static show policy name=all” and “netsh ipsec static show rule name=all” here ? Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Bigteddy, Thanks for update. Could you show us the results of this policy and these two rules by running the command “netsh ipsec static show policy name=all” and “netsh ipsec static show rule name=all” here ? Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Bigteddy, Thanks for update. Could you show us the results of this policy and these two rules by running the command “netsh ipsec static show policy name=all” and “netsh ipsec static show rule name=all” here ? Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

C:\>netsh ipsec static show policy name=all ERR IPsec[05072] : No Policies in Policy Store C:\>netsh ipsec static show rule name=all ERR IPsec[01015] : 'policy' tag is needed Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

The results from netsh are unexpected. There is definitely an active policy (defined in Group Policy), and two active Rules (see previous screen-shot). Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

The results from netsh are unexpected. There is definitely an active policy (defined in Group Policy), and two active Rules (see previous screen-shot). Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

The results from netsh are unexpected. There is definitely an active policy (defined in Group Policy), and two active Rules (see previous screen-shot). Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

This command gave me the rules details: netsh ipsec dynamic>show rule Transport Rules ------------------------------------------------------------------------------- MM Filter Name : 2 QM Filter Name : 2 Connection Type : ALL Source Address : <My IP Address> (255.255.255.255) Destination Address : 10.0.0.31 (255.255.255.255) Protocol : TCP Src Port: 0 Dest Port: 23 Mirrored : yes Main Mode Policy : 1 Authentication Methods : Kerberos Security Methods : 1 3DES/SHA1/DH2/28800/QMlimit=0 Quick Mode Policy : Require high authentication and encryption Inbound Action : Negotiate Outbound Action : Negotiate ------------------------------------------------------------------------------- MM Filter Name : 1 QM Filter Name : 1 Connection Type : ALL Source Address : <My IP Address> Destination Address : <Any IP Address> Protocol : ANY Src Port: 0 Dest Port: 0 Mirrored : yes Main Mode Policy : 1 Authentication Methods : Kerberos Security Methods : 1 3DES/SHA1/DH2/28800/QMlimit=0 Quick Mode Policy : Request Security (Optional) Inbound Action : Passthru Outbound Action : Negotiate 2 Transport Filter(s)Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

This command gave me the rules details: netsh ipsec dynamic>show rule Transport Rules ------------------------------------------------------------------------------- MM Filter Name : 2 QM Filter Name : 2 Connection Type : ALL Source Address : <My IP Address> (255.255.255.255) Destination Address : 10.0.0.31 (255.255.255.255) Protocol : TCP Src Port: 0 Dest Port: 23 Mirrored : yes Main Mode Policy : 1 Authentication Methods : Kerberos Security Methods : 1 3DES/SHA1/DH2/28800/QMlimit=0 Quick Mode Policy : Require high authentication and encryption Inbound Action : Negotiate Outbound Action : Negotiate ------------------------------------------------------------------------------- MM Filter Name : 1 QM Filter Name : 1 Connection Type : ALL Source Address : <My IP Address> Destination Address : <Any IP Address> Protocol : ANY Src Port: 0 Dest Port: 0 Mirrored : yes Main Mode Policy : 1 Authentication Methods : Kerberos Security Methods : 1 3DES/SHA1/DH2/28800/QMlimit=0 Quick Mode Policy : Request Security (Optional) Inbound Action : Passthru Outbound Action : Negotiate 2 Transport Filter(s)Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

This command gave me the rules details: netsh ipsec dynamic>show rule Transport Rules ------------------------------------------------------------------------------- MM Filter Name : 2 QM Filter Name : 2 Connection Type : ALL Source Address : <My IP Address> (255.255.255.255) Destination Address : 10.0.0.31 (255.255.255.255) Protocol : TCP Src Port: 0 Dest Port: 23 Mirrored : yes Main Mode Policy : 1 Authentication Methods : Kerberos Security Methods : 1 3DES/SHA1/DH2/28800/QMlimit=0 Quick Mode Policy : Require high authentication and encryption Inbound Action : Negotiate Outbound Action : Negotiate ------------------------------------------------------------------------------- MM Filter Name : 1 QM Filter Name : 1 Connection Type : ALL Source Address : <My IP Address> Destination Address : <Any IP Address> Protocol : ANY Src Port: 0 Dest Port: 0 Mirrored : yes Main Mode Policy : 1 Authentication Methods : Kerberos Security Methods : 1 3DES/SHA1/DH2/28800/QMlimit=0 Quick Mode Policy : Request Security (Optional) Inbound Action : Passthru Outbound Action : Negotiate 2 Transport Filter(s)Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

Hi Grant, Thanks for update. According to your requests , I think we’d better to add a new “deny all incoming telent traffic” rule but allow secure incoming telent communication form a specify source address which is the current rule “Encrypt Telnet Filter” , take look the example below: How to associate IPSec IP filter list to IPSec filter action http://www.omnisecu.com/security/ipsec/how-associate-ipsec-filter-list-to-filter-action.htm Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Grant, Thanks for update. According to your requests , I think we’d better to add a new “deny all incoming telent traffic” rule but allow secure incoming telent communication form a specify source address which is the current rule “Encrypt Telnet Filter” , take look the example below: How to associate IPSec IP filter list to IPSec filter action http://www.omnisecu.com/security/ipsec/how-associate-ipsec-filter-list-to-filter-action.htm Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Grant, Thanks for update. According to your requests , I think we’d better to add a new “deny all incoming telent traffic” rule but allow secure incoming telent communication form a specify source address which is the current rule “Encrypt Telnet Filter” , take look the example below: How to associate IPSec IP filter list to IPSec filter action http://www.omnisecu.com/security/ipsec/how-associate-ipsec-filter-list-to-filter-action.htm Important Note: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi guys, I think since the security method used in both filters are same, the same quick mode SA is being used for both kind of traffic. The difference between two filters is that the Request Security(optional) traffic can fall back to clear if the host on other side is not able to do IPSEC negotiation successfully. But that wont happen to Telnet traffic. Also if you chose some other less secure security method for "All Traffic" filter, I think two Quick SA should be formed for two communication. -CrDev Blogs: http://blogs.msdn.com/b/satyem

Hi guys, I think since the security method used in both filters are same, the same quick mode SA is being used for both kind of traffic. The difference between two filters is that the Request Security(optional) traffic can fall back to clear if the host on other side is not able to do IPSEC negotiation successfully. But that wont happen to Telnet traffic. Also if you chose some other less secure security method for "All Traffic" filter, I think two Quick SA should be formed for two communication. -CrDev Blogs: http://blogs.msdn.com/b/satyem

Hi guys, I think since the security method used in both filters are same, the same quick mode SA is being used for both kind of traffic. The difference between two filters is that the Request Security(optional) traffic can fall back to clear if the host on other side is not able to do IPSEC negotiation successfully. But that wont happen to Telnet traffic. Also if you chose some other less secure security method for "All Traffic" filter, I think two Quick SA should be formed for two communication. -CrDev Blogs: http://blogs.msdn.com/b/satyem

Hi Grant, If there is any update on this issue, please feel free to let us know. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Grant, If there is any update on this issue, please feel free to let us know. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Grant, If there is any update on this issue, please feel free to let us know. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Tiger Li TechNet Community Support

Hi Grant, Thanks for update. According to your requests , I think we’d better to add a new “deny all incoming telent traffic” rule but allow secure incoming telent communication form a specify source address which is the current rule “Encrypt Telnet Filter” , take look the example below: -------------------------------------------------------------------------------- Tiger Li TechNet Community Support I don't really want the rule to be so specific as to only allow one IP address. I did that for testing purposes, thinking that if I made the rule very specific, that it would take precedence. In fact, I want to allow Telnet traffic from all sources on the local subnet, but with AH and 3DES mandatory encryption. All other traffic must be set to "request", otherwise communications fail completely, I find. I'm not quite sure what to try next. Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

Hi Bigteddy, From the result of the command netsh ipsec dynamic>show rule, the rule seems to be misconfigured. In the situation, the source port of the rule should be 23(server side), the destination port of the rule should be any(client side). When a client tries to telnet a server, it uses the dynamic port as source port and 23 as destination port. To the client, the source is client itself and the destination is server. However, to the server, the source is server itself and the destination is client. Hoping the information could help you. ------------------------------------------------------------------------------- MM Filter Name : 2 QM Filter Name : 2 Connection Type : ALL Source Address : <My IP Address> (255.255.255.255) Destination Address : 10.0.0.31 (255.255.255.255) Protocol : TCP Src Port: 0 Dest Port: 23 Mirrored : yes Main Mode Policy : 1 Authentication Methods : Kerberos Security Methods : 1 3DES/SHA1/DH2/28800/QMlimit=0 Quick Mode Policy : Require high authentication and encryption Inbound Action : Negotiate Outbound Action : Negotiate Scott Xie Best Regards

I have tried to set the rule according to your suggestions. Now I get no Telnet communications whenever the Telnet rule is enabled. Before, Telnet would work, but not invoke an extra (stricter) SA. Now, I don't know what I've done wrong. Normal communications are using the default IPSEC rule, but Telnet comms (both ways) won't work if I enable the stricter rule in addition to the default rule. This is not so important, and we can consider this topic closed, unless anyone has any bright ideas?Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

I have tried to set the rule according to your suggestions. Now I get no Telnet communications whenever the Telnet rule is enabled. Before, Telnet would work, but not invoke an extra (stricter) SA. Now, I don't know what I've done wrong. Normal communications are using the default IPSEC rule, but Telnet comms (both ways) won't work if I enable the stricter rule in addition to the default rule. This is not so important, and we can consider this topic closed, unless anyone has any bright ideas?Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script

I have tried to set the rule according to your suggestions. Now I get no Telnet communications whenever the Telnet rule is enabled. Before, Telnet would work, but not invoke an extra (stricter) SA. Now, I don't know what I've done wrong. Normal communications are using the default IPSEC rule, but Telnet comms (both ways) won't work if I enable the stricter rule in addition to the default rule. This is not so important, and we can consider this topic closed, unless anyone has any bright ideas?Grant Ward, a.k.a. Bigteddy What's new in Powershell 3.0 (Technet Wiki) Network Live Audit - Powershell script