0

I found this approach to secure RDP-connections on a post at the University of Rostock.

On the Server (W10):

netsh ipsec static set store location=local
netsh ipsec static add policy name="IPFilter" description="IP Filter Policy"
netsh ipsec static add filteraction name=Permit description="Permit Traffic" action=permit
netsh ipsec static add filteraction name="Encrypt" description="Forces communications using encryption" action=negotiate qmsecmethods="ESP[3DES,SHA1]" inpass=no soft=no qmpfs=no
netsh ipsec static add filter filterlist="RDP-In" srcaddr=me dstaddr=any description="RDP Traffic (TCP-In)" protocol=tcp srcport=3389 dstport=0
netsh ipsec static add rule name="Encrypt RDP-In" policy="IPFilter" filterlist="RDP-In" filteraction=Encrypt Kerberos=No PSK=%PSK%
netsh ipsec static set policy name="IPFilter" assign=yes

On the Client (W10):

netsh ipsec static set store location=local
netsh ipsec static add policy name="IPFilter" description="IP Filter Policy"
netsh ipsec static add filteraction name=Permit description="Permit Traffic" action=permit
netsh ipsec static add filteraction name="Encrypt" description="Forces communications using encryption" action=negotiate qmsecmethods="ESP[3DES,SHA1]" inpass=no soft=no qmpfs=no
netsh ipsec static add filter filterlist="RDP-Out" srcaddr=me dstaddr=any description="RDP Traffic (TCP-Out)" protocol=tcp srcport=0 dstport=3389
netsh ipsec static add rule name="Encrypt RDP-Out" policy="IPFilter" filterlist="RDP-Out" filteraction=Encrypt Kerberos=No PSK=%PSK%
netsh ipsec static set policy name="IPFilter" assign=yes

It works fine and it uses IPv6 according to Wireshark.

Here is the problem: Using an Azure-VM (W10) as the server it ceases to work. Since I believe it is due to IPV6 not being available on Azure (by default, uncertain how to achieve that), I turn off IPV6 on my test environment (2 Virtualbox VMs W10) and bingo: No connection can be established any longer.

Anyone has an idea how to get this working using IPv4, please?

Thanks a lot. Urs

Improve this question
3
  • I'm not sure I understand your conclusion. Why do you think the RDP client is using IPv6? If the server does not have IPv6 available, then it simply wouldn't have an IPv6 address published to DNS -- and the RDP client can't be trying to connect over IPv6 if there's no IPv6 address for the host. Does the server's DNS name have an IPv6 address incorrectly published?
    – grawity_u1686
    Commented Aug 11, 2021 at 17:18
  • Modern RDP is already encrypted using TLS, by the way.
    – Daniel B
    Commented Aug 12, 2021 at 6:09
  • Tested on 2 local VMs having IP-6 turned on and checked with Wireshark. It DID use v6. Then turned of IP6 on either side - stopped connecting. Hence my conclusion. Anyway, I thing I go for OpenVPN then.
    – ufotech
    Commented Aug 13, 2021 at 14:00

1 Answer 1

Reset to default
0

Your problem is not IPv6. The Azure Firewall does not permit IPSec traffic to flow to a VM. IPSec requires ESP, which the Azure Firewall does not support.

Look into using Azure VPN Gateway, OpenVPN, WireGuard, or other VPN type products.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .