Testing the ISA Server Tunnel Mode Policy

  • Article

To test the ISA Server tunnel mode policy, perform the following steps.

  1. Open the IPSec Monitor snap-in. Click Start, click Run, type mmc, and then click OK. Expand Console Root to view the Main Mode and Quick Mode security associations. Under Main Mode, click Security Associations.
  2. Under Quick Mode, click Security Associations.

The testing process uses different application layer and transport layer protocols to ensure that data is encrypted and decrypted correctly when it passes through the IPSec tunnel. The following data transfer tests can be used to determine the success of the IPSec tunnel mode policy:

  • FTP Transfer
    The FTP process uses an FTP GET of a single 100 megabyte (MB) file, renames the file, and then uses an FTP PUT to transfer the new file back to the FTP server. After the two transfers are completed, a comparison is performed, using Windiff.exe from the Windows 2000 Server Resource Kit, at the FTP server to ensure the two files are identical. Both the command-line FTP.exe utility (used for Active Mode connections) and Internet Explorer (used for Passive Mode) are used as the client application. An FTP server running Windows Server 2003 is on the network behind the Check Point NG system.
  • TFTP Transfer
    The TFTP copy process replicates the FTP tests, with the only difference being that a 20 MB file is transferred rather than the 100 MB file transferred using FTP. Because Windows Server 2003, Windows XP, and Windows 2000 Server do not include a TFTP server, a third-party TFTP server (SolarWinds TFTP Server https://www.solarwinds.com) is used as a TFTP server for the tests. A Windows XP host is the client using the command-line utility TFTP.exe.
  • CIFS Transfer
    The CIFS copy process transfers a folder structure with three subfolders containing a total of 311 files approximately 50 MB in size between the two computers. The data is transferred from the source computer to the target computer using the Resource Kit utility ROBOCOPY.exe and by copying within Windows Explorer. The files are then copied from the target computer to the source computer into a different folder structure. The folders are then compared using Windiff.exe from the Windows 2000 Resource Kit to ensure that the data is not corrupted during transmission.
  • PING with specific sizes
    PING packets are sent from the target to the source computer using specific packet sizes to test packet fragmentation and reassembly through the IPSec tunnel. Specifically, packets sizes of: 2, 3, 4, 5, 6, 7, 8, 9, 10, 20, 40, 80, 160, 320, 640, 1280, 1460, 1461, 1462, 1463, 1464, 1465, 1466, 1467, 1468, 1469, 1470, 1471, 1472, 1473, 1474, 1475, 1476, 1477, 1478, 1479, 1480, 1500, 3000, 6000, 12000, 24000, 48000, and 65500 bytes.