rss logo

Setting Up an IPsec Transport Mode Connection Between Two Windows Machines

I'm going to talk here about the possibility of setting up a secure IPsec VPN between Microsoft Windows hosts in the same LAN, to greatly improve network security. Thanks to this configuration, all exchanges between machines will be encrypted, without exception.

Network Architecture

For the purposes of this article, we'll keep our architecture as simple as possible. We'll set up a secure connection with an IPsec VPN with PSK between a computer running Windows 11 and a server running Windows 2022. Both computers will be on the same local network.

Network diagram showing ipsec tunnel between two Windows Hosts
Windows Server Logo

Windows Server

IPsec Configuration

Graphical User Interface (GUI)

  • Open the Windows Defender Firewall with Advanced Security console:
Windows run window with wf.msc written inside
  • Do a right click on Connection Security Rules and select New Rule…:
Windows Defender Firewall with Advanced Security console with the connection security rules drop-down menu
  • Select Custom and click Next:
New Connection Security Rule Wizard window with custom option selected
  • In the Which computers are in Enpoint 1 section, select These IP addresses and click on Add…:
New Connection Security Rule Wizard window, Endpoints step
  • Here we add the Host or Network with which we need have to establish an IPsec connection to communicate:
IP Address window, with network 192.168.1.0/24 filled in
  • Do the same with Enpoint 2 entering the server's IP address then click Next:
New Connection Security Rule Wizard window, Endpoints step
  • For maximum security and impose the use of IPsec select Require authentication for inbound and outbound connections:
New Connection Security Rule Wizard window, Requirements step
  • As we'll be using a preshared key as our Authentication Method in this example, click on Customize…:
New Connection Security Rule Wizard window, Authentication Method step
  • Follow this steps to set the Preshared key:
New Connection Security Rule Wizard window, the three steps to set the Preshared key
  • We can specify one or more specific protocols to be encapsulated inside IPsec, here we encapsulate everything:
New Connection Security Rule Wizard window, Protocol and Ports step
  • We can restrict the rule to specific profiles:
New Connection Security Rule Wizard window, Profile step
  • Finally specify the Name of the rule:
New Connection Security Rule Wizard window, Name step
  • Create a Firewall Rule to allow encrypted flows:

PowerShell

  • We can create the same IPsec Rule as the one configured just above, in a three PowerShell commands line:
PS C:\> $PSKAuthProp = New-NetIPsecAuthProposal -Machine -PreSharedKey "IPsuperSECRET" PS C:\> $PSKAuthSet = New-NetIPsecPhase1AuthSet -DisplayName "PSK auth" -Proposal $PSKAuthProp PS C:\> New-NetIPsecRule -DisplayName "IPsec" -Name "IPsec" -Mode Transport -InboundSecurity Require -OutboundSecurity Require -LocalAddress 192.168.1.200 -RemoteAddress 192.168.1.30 -Enable True -Phase1AuthSet $PSKAuthSet.Name

We've now finisished configuring the server. It's now time to move on to client configuration.

FireWall Configuration

Graphical User Interface (GUI)

  • Do a right click on Inbound Security Rules and select New Rule…:
Windows Defender Firewall with Advanced Security console with the Inbound rules drop-down menu
  • Select Custom and click Next:
New Inbound Rule Wizard window, Rule Type step
  • Choose All programs and click on Next:
New Inbound Rule Wizard window, Program step
  • We can specify one or more specific protocols to be matched by the rule, here we will match Any protocols:
New Inbound Rule Wizard window, Protocol and Ports step
  • Restrict rule application to defined ip addresses concerned:
New Inbound Rule Wizard window, Scope step
  • In the Action step, configure the Require the connections to be encrypted condition:
New Inbound Rule Wizard window, Action step, selecting Require the connections to be encrypted
  • We can limit the application of the rule to specific users, which will not be used for our purposes:
New Inbound Rule Wizard window, Users step
  • We can do the same to limit the rule to specific computers, which won't be used in this example either:
New Inbound Rule Wizard window, Computers step
  • We can restrict the rule to specific profiles:
New Inbound Rule Wizard window, Profile step
  • Finally specify the Name of the rule:
New Inbound Rule Wizard window, Name step

PowerShell

  • We can create the same Firewall Rule sas the one configured just above, in a single PowerShell command line:
PS C:\> New-NetFirewallRule -DisplayName "IPsec ALLOW" -Direction Inbound -Enabled True -Action Allow -LocalAddress 192.168.1.200 -RemoteAddress 192.168.1.0/24 -Protocol Any -Encryption Dynamic -Authentication Required

Windows 11

Windows 11 Logo

I'm going to describe them all, but the steps are pretty much the same as those we followed for the server.

  • Open the Windows Defender Firewall with Advanced Security console:
Windows run window with wf.msc written inside
  • Do a right click on Connection Security Rules and select New Rule…:
Windows Defender Firewall with Advanced Security console with the connection security rules drop-down menu
  • Select Custom and click Next:
New Connection Security Rule Wizard window with custom option selected
  • In the Which computers are in Enpoint 1 section, select These IP addresses and click on Add…:
New Connection Security Rule Wizard window, Endpoints step
  • Here we add our client's IP address:
IP Address window, with network 192.168.1.30 filled in
  • Do the same with Enpoint 2 entering the server's IP address then click Next:
New Connection Security Rule Wizard window, Endpoints step
  • For maximum security and impose the use of IPsec select Require authentication for inbound and outbound connections:
New Connection Security Rule Wizard window, Requirements step
  • As we'll be using a preshared key as our Authentication Method in this example, click on Customize…:
New Connection Security Rule Wizard window, Authentication Method step
  • Follow this steps to set the Preshared key:
New Connection Security Rule Wizard window, the three steps to set the Preshared key
  • We can specify one or more specific protocols to be encapsulated inside IPsec, here we encapsulate everything:
New Connection Security Rule Wizard window, Protocol and Ports step
  • We can restrict the rule to specific profiles:
New Connection Security Rule Wizard window, Profile step
  • Finally specify the Name of the rule:
New Connection Security Rule Wizard window, Name step
  • Do a ping to the server and check security association is present:
Windows Defender Firewall with Advanced Security console inside the security associations menu

Improve Security

From here, everything should work and connections are already encrypted. Here, we'll look at how to further enhance security by choosing more robust IPsec protocols thant those offered by default. All command listed below must be entered on both client and server.

IKEv2

  • Enable IKEv2 mode:
PS C:\> Set-NetIPsecRule -DisplayName "IPsec" -KeyModule IKEv2 -ForwardPathLifetime 120

Enforce Security by Changing Protocols with Graphical User Interface (GUI)

  • From the Windows Defender Firewall with Advanced Security console, right-click on Windows Defender Firewall with Advanced Security, then select Properties:
Windows Defender Firewall with Advanced Security console
  • In the IPsec Settings tab, click Customize…:
Windows Defender Firewall with Advanced Security, properties window
  • Select Advanced and click Customize…:
Windows Defender Firewall with Advanced Security, Customize IPsec Defaults window

Main Mode

  • First, Remove existing entries, then enable Diffie-Hellman and finally click Add…:
Windows Defender Firewall with Advanced Security, Customize Advanced Key Exchange Settings
  • Change default algorithms:
Windows Defender Firewall with Advanced Security, Add Security Method window

Quick Mode

  • Enable Require encryption, then Remove the predefined algorithms and finally click Add…:
Windows Defender Firewall with Advanced Security, Customize Data Protection Settings window
  • Select ESP, then modify algorithms:
Windows Defender Firewall with Advanced Security, Add Integrity and Encryption Algorithms window

Enforce Quick Mode with PowerShell

  • Change protocols:
PS C:\> $proposal1 = (New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -Encryption AES256 -ESPHash SHA256) PS C:\> $mMCryptoSet=(New-NetIPsecQuickModeCryptoSet -DisplayName "Quick Mode Rule" -Proposal $proposal1) PS C:\> Set-NetIPsecRule -DisplayName IPsec -QuickModeCryptoSet $mMCryptoSet.Name

Some Commands

  • Gets IPsec properties from ipsec rule:
PS C:\> Get-NetIPsecRule -DisplayName IPsec
  • Remove IPsec rule named ipsec:
PS C:\> Remove-NetIPsecRule -DisplayName IPsec
  • Gets the IPsec main mode properties for the IPsecMain rule:
PS C:\> Get-NetIPsecMainModeRule -DisplayName IPsecMain
  • Remove IPsec main profile:
PS C:\> Remove-NetIPsecMainModeRule -Name "{XXX-XXX-XXX}"
  • Gets active Main Mode SA (security association):
PS C:\> Get-NetIPsecMainModeSA
  • Gets active Quick Mode SA (security association):
PS C:\> Get-NetIPsecQuickModeSA
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address