Share via

Secure RDP/IPSec using connection security rules in Windows Defender

Don Wesolowicz 0 Reputation points
2025-01-10T15:17:31.36+00:00

I am trying to configure RDP to use IPSec. I have configured two connection security rules for TCP and UPD, requiring authentication for inbound and requesting outbound connections. Authentication method is computer kerberos5. From there I am using a GPO to push this policy to the endpoints. I confirmed the policy is being applied to PCa and PCb via RSOP. There is a second firewall policy that only allows connections from specific PC's, and that policy is working just fine.

When using wireshark on PCa and attempting an RDP connection, I see ISAKMP packets being sent to PCb but there is no response for ISAKMP packets from that PCb. The connection then fails over to TLSv1.3, which I believe is the default for RDP.

My question is, where can I find the log files that show the ISAKMP negotiation? I am not seeing anything in event viewer relating to ISAKMP or IPSec failed connections.

Thank you in advance

Don

Remote Desktop
Remote Desktop
A Microsoft app that connects remotely to computers and to virtual apps and desktops.
4,676 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,976 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Zunhui Han 2,790 Reputation points Microsoft Vendor
    2025-01-13T07:56:40.0666667+00:00

    Hello,

    Check the Security and Application logs in Event Viewer for any IPSec or ISAKMP-related events.

    However, ISAKMP negotiation logs might not always be visible in Event Viewer by default.

    Besides, please check the following configurations:

    Ensure that both ends (PCa and PCb) have matching ISAKMP policies, including authentication methods, encryption algorithms, hash functions, and Diffie-Hellman groups.

    Confirm that the firewall policy allowing specific connections is correctly configured and is not blocking ISAKMP packets.

    Ensure that the system clocks on both ends are synchronized. Time synchronization is important for Kerberos authentication and other security protocols.

    ISAKMP Version Compatibility. Ensure that both ends support the same version of ISAKMP.

    Best regards

    Zunhui

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Don Wesolowicz 0 Reputation points
    2025-01-13T14:34:27.2766667+00:00

    Thanks for the info Zunhui. I will look into this right now.

    0 comments
  3. Don Wesolowicz 0 Reputation points
    2025-01-14T15:26:08.67+00:00

    Zunhui,

    I was unable to get secure RDP to work on the original two endpoints I was using. As a last resort, I reloaded the Win11 OS on each endpoint and started over again. The good news is that I am seeing the ISAKMP packets, as well as ESP packets.

    When looking at the windows defender firewall, there is a monitor section for the security associations. Under main mode it shows the encryption as AES-CBC 256, integrity SHA-256 and key exchange as none? Is that expected behavior?

    In the same area but under quick mode, it shows AH integrity none, ESP integrity as ESP and ESP encryption as none. Is that expected behavior as well? My goal is to make the use of RDP as secure as possible, and hoping to follow the best practices.

    Clearly, I have more reading to do in this area and appreciate your help on this.

    Thanks

    Don

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.