Während der Vorbereitung für die 70-291 ist mir etwas aufgefallen; der Microsoft RAS Server 2003 bietet standardmäsig keine Verschachtelung der PPTP-Protokollen ( TCP-Port 1723 und GRE-TCP-Protokoll 47) in einer IPSec-Schale. Angeboten wird nur die Verschachtelung der L2TP-Protokollen. Aber mit ein bischen Mühe, es geht. Eine IPSec-Richtlinie mit 2 Filter, jewals für UDP 1723 und GRE, die über GPO oder lokal auf dem Server erstellt wird. Die Richtlinie Client (nur Antwort) auf dem VPN-Client aktivieren und das ist alles. Beispiel für Kapselung des GRE:
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = 000103C72C30
ETHERNET: 0....... = Individual address
ETHERNET: .0...... = Universally administered address
ETHERNET: Source address = 0004761F12CC
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = AH - Authentication Header for IP Security Protocol; Packet ID = 29833; Total IP Length = 104; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 104 (0x68)
IP: Identification = 29833 (0x7489)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 128 (0x80)
IP: Protocol = AH - Authentication Header for IP Security Protocol
IP: Checksum = 31827 (0x7C53)
IP: Source Address = 192.168.100.50
IP: Destination Address = 192.168.100.3
AH: Protocol = ESP, SPI = 0x870B1B86, Seq = 0xE
AH: Next Header = ESP - Encap Security Payload for IP Security Protocol
AH: Payload Length = 6 (0x6)
AH: Reserved = 0 (0x0)
AH: Security Parameters Index = 2265652102 (0x870B1B86)
AH: Sequence Number = 14 (0xE)
AH: Authentication Data: Number of data bytes remaining = 12 (0x000C)
ESP: SPI = 0xB433EEF9, Seq = 0xE
ESP: Security Parameters Index = 3023302393 (0xB433EEF9)
ESP: Sequence Number = 14 (0xE)
ESP: Padding: Number of data bytes remaining = 4 (0x0004)
ESP: Pad Length = 4 (0x4)
ESP: Next Header = GRE - General Routing Encapsulation
ESP: Authentication Data: Number of data bytes remaining = 12 (0x000C)
GRE: ..KS....A....... Length: 18, Call ID: 17082
GRE: Flags Summary = 12417 (0x3081)
GRE: 0............... = Checksum Absent
GRE: .0.............. = Routing Absent
GRE: ..1............. = Key Present
GRE: ...1............ = Sequence Number Present
GRE: ....0........... = Strict Source Route Absent
GRE: ........1....... = Acknowledge Sequence Number Present
GRE: Recursion Control = 0 (0x0)
GRE: Ver = 1 (0x1)
GRE: Protocol Type = 0x880B
GRE: Key Length = 18 (0x12)
GRE: Key Call ID = 17082 (0x42BA)
GRE: Sequence Number = 12 (0xC)
GRE: Ack Number = 12 (0xC)
PPP: Internet Protocol Control Protocol Frame (0x8021)
PPP: Protocol = Internet Protocol Control Protocol
IPCP: Configuration Acknowledgement, Ident = 0x06
IPCP: Code = Configuration Acknowledgement
IPCP: Identifier = 6 (0x6)
IPCP: Length = 16 (0x10)
IPCP: Option: Address = 199.101.99.12
IPCP: Option Type = Address
IPCP: Option Length = 6 (0x6)
IPCP: Source Address = 199.101.99.12
IPCP: Option: Primary DNS Server Address = 192.168.100.1
IPCP: Option Type = Primary DNS Server Address
IPCP: Option Length = 6 (0x6)
IPCP: Primary DNS Server Address = 192.168.100.1