Create key exchange security methods

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To create key exchange security methods

  1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.

  2. Double-click the policy that you want to modify.

  3. Click the General tab, click Settings, and then click Methods.

  4. In the Key Exchange Security Methods dialog box, do one of the following:

    • To add a new key exchange security method, click Add.

    • To modify an existing key exchange security method, click the security method that you want to modify, and then click Edit.

    • To remove a key exchange security method, click the security method that you want to remove, and then click Remove.

  5. If you are adding or modifying a key exchange security method, in the IKE Security Algorithms dialog box, select an Integrity algorithm:

    • Click MD5 to use a 128-bit key (faster).

    • Click SHA1 to use a 160-bit key (stronger).

  6. Select an Encryption algorithm:

    • Click 3DES to use the triple Data Encryption Standard (3DES) algorithm and three unique 56-bit keys.

    • Click DES to use the DES algorithm and a single 56-bit key. Use this option if you are required to connect to computers that do not have 3DES or if you do not need the higher security and overhead of 3DES. For more information, see Notes.

  7. Select a Diffie-Hellman group to set the length of base keying material used to generate the actual keys:

    • Click Low (1) to generate 768 bits of master key keying material.

    • Click Medium (2) to generate 1,024 bits of master key keying material (stronger).

    • Click High (2048) to generate 2,048 bits of master key keying material (strongest).

Important

  • For enhanced security, do not use Diffie-Hellman Group 1 (low). For maximum security, use Group 2048 whenever possible. Use Group 2 when required for interoperability with Windows 2000 and Windows XP . When you use a stronger group, the secret key that is derived from the Diffie-Hellman exchange has greater strength. For more information about Diffie-Hellman groups and key exchange methods, see Related Topics.

Notes

  • To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.

  • To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.

  • Portions of IPSec-related services were jointly developed by Microsoft and Cisco Systems, Inc.

  • A key exchange security method is a combination of three settings (integrity algorithm, encryption algorithm, and Diffie-Hellman group). The initiator and the responder must have a method in common (one that uses the same settings) for negotiations to succeed.

  • Diffie-Hellman Group 2048 is provided only with the Windows Server 2003 family.

  • Computers running Windows 2000 must have the High Encryption Pack or Service Pack 2 (or later) installed in order to use the 3DES algorithm. If a computer running Windows 2000 receives a 3DES setting, but does not have the High Encryption Pack or Service Pack 2 (or later) installed, the 3DES setting in the security method is set to the weaker DES, to provide some level of confidentiality for communication, rather than blocking all communication. However, you should only use DES as a fallback option if not all computers in your environment support the use of 3DES. Computers running Windows XP or a Windows Server 2003 operating system support 3DES and do not require installation of the High Encryption Pack.

  • Click Move up to move a selected security method up one level. Repeat until the security method is at the required preference level.

  • Click Move down to move a selected security method down one level. Repeat until the security method is at the required preference level.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start the IP Security Policy Management snap-in
Open MMC
Configure key exchange settings
Key exchange methods
Working with MMC console files
Key management and protection