Skip to main content

IPsec: Frequently Asked Questions

Updated: September 6, 2005
**

 

This FAQ answers commonly asked questions about Internet Protocol security (IPsec) support in the Microsoft Windows family of operating systems. Click a question to view its answer. To view all the answers at one time, select the View all answers check box.




Background Information

Q. What is IPsec?
A.

Internet Protocol security (IPsec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks, through the use of cryptographic security services. The Internet Engineering Task Force (IETF) IPsec working group defines the IPsec standards.

IPsec is the long-term direction for secure networking. It provides aggressive protection against private network and Internet attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roving clients.

The Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003, and Windows 2000 implementations of IPsec are IETF standards-based.


Q. Where is the Microsoft IPsec documentation?
A.

IPsec documentation is included with Windows XP(click Start, then click HelpandSupport) and Windows Server 2003 (click Start, then click Help and Support). There are also IPsec sections of the Windows Server 2003 Deployment Guideand the Windows Server 2003 Technical Reference.

For a list of all the resources for IPsec in Windows, see the IPsec Web site .

Q. What are the improvements to IPsec in Windows Server 2003 Service Pack 2 and Windows XP Service Pack 3?
A.Windows Server 2003 Service Pack 2 and Windows XP Service Pack 3 include the Simple Policy Update, which allows you to simplify IPsec policy configuration. For more information, see Simplifying IPsec Policy with the Simple Policy Update.

Q. What are the improvements to IPsec in Windows Vista and Windows Server 2008?
A.

Windows Vista and Windows Server 2008 include the following improvements to IPsec:

  • Integrated firewall and IPsec configuration
  • Simplified IPsec policy configuration
  • Client-to-DC IPsec protection
  • Improved load balancing and clustering server support
  • Improved IPsec authentication
  • New cryptographic support
  • Integration with Network Access Protection
  • Additional configuration options for protected communication
  • Integrated IPv4 and IPv6 support
  • Extended events and performance monitor counters
  • Network Diagnostics Framework support

For more information, see the “IPsec Improvements” section of New Networking Features in Windows Server 2008 and Windows Vista.

Q. What are the differences between IPsec and firewalls?
A.

Firewalls are designed to monitor incoming and outgoing traffic to determine whether the traffic is allowed. The Windows implementation of IPsec can also perform this function. However, IPsec can also ensure that the incoming and outgoing traffic is secure (protected with cryptography). For example, with the correct IPsec policy settings, you can require that all communications between domain controllers be secured.

Another key difference between IPsec for Windows and firewalls is the following:

  • The default behavior of firewalls is to discard incoming or outgoing traffic unless there is an exception to allow it.
  • The default behavior of IPsec for Windows is to allow incoming or outgoing traffic, unless there is an exception to discard or secure it.


Q. Is IPsec just used for virtual private networks (VPNs)?
A.Although IPsec can be used to create secure VPN connections across the Internet for remote access and branch office connectivity, IPsec is not a technology that was designed specifically for VPN connections. IPsec is a general technology for securing IP traffic, regardless of the type of network (the Internet or a private network) on which the traffic is sent. IPsec has been defined to work in two different modes: transport mode and tunnel mode. Tunnel mode is most often used for site-to-site VPN connections. Transport mode is most often used for securing IP traffic on private networks.

Q. Why would I use IPsec instead of Secure Sockets Layer (SSL)?
A.

Because IPsec works at the IP layer of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack, you do not have to modify existing applications to use IPsec. All TCP/IP applications can use IPsec, whereas only SSL-enabled TCP/IP applications can use SSL. IPsec is an excellent solution to securing the traffic of legacy applications.

Other points of contrast between IPsec and SSL are the following:

  • SSL was designed for client application-to-server application authentication and encryption. IPsec can be used end-to-end or for gateway-to-gateway scenarios.
  • SSL only supports the use of digital certificates for authentication. The Windows implementation of IPsec supports the use of Kerberos, preshared key, and digital certificates for authentication.


Q. What are the differences between using IPsec and the Windows Firewall for blocking or permitting traffic?
A.

With IPsec for Windows policy settings, you can block or permit incoming and outgoing traffic based on:

  • The source and destination addresses based on IPv4 address ranges expressed as subnets
  • The IP protocol number
  • The source and destination Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports.

In contrast, with Windows Firewall you can only specify exceptions (incoming traffic that is permitted) based on source IPv4 address ranges expressed as subnets and destination TCP and UDP ports.

However, with Windows Firewall, you can do the following:

  • Specify exceptions based on program names
  • Permit or block Internet Protocol version 6 (IPv6) traffic and specify both port and program-based exceptions




IPSec and Remote Access

Q. Is the Microsoft implementation of remote access VPN connections standards-compliant?
A.Yes. The Microsoft implementation of Layer Two Tunneling Protocol over IPsec (L2TP/IPsec) for use in remote access VPNs is standards-compliant with IETF Requests for Comments (RFCs) 2661 and 3193. IPsec by itself is not suitable for remote access VPNs. For more information, see Virtual Private Networking: Frequently Asked Questions.



IPSec Policy

Q. What is an IPsec policy?
A.

An IPsec Policy is a group of settings that specify IPsec behavior with regard to the types of traffic that are permitted, blocked, or secured. An IPsec policy consists of:

  • General IPsec policy settings—Settings that apply regardless of which rules are configured. These settings determine the name of the policy, its description for administrative purposes, how often to check for policy changes, key exchange settings, and key exchange methods.
  • IPsec policy rules—One or more IPsec rules that determine which types of traffic IPsec must examine, how traffic is treated, how to authenticate an IPsec peer, and other settings such as the type of network connection to which the rule applies and whether or not to use IPsec tunneling.


After IPsec policies are created, an individual IPsec policy can be assigned (activated) at the domain, site, organizational unit, and local level.

Q. What is an IPsec policy rule?
A.

Each IPsec rule contains the following configuration items:

  • Filter list—A single filter list is selected that contains one or more predefined packet filters that describe the types of traffic to which the configured filter action for this rule is applied. The filter list is configured on the IP Filter List tab in the properties of an IPsec rule within an IPsec policy.
  • Filter action—A single filter action is selected that includes the type of action required (Permit, Block, or Negotiate Security) for packets that match the filter list. For the Negotiate Security filter action, the negotiation data contains one or more security methods that are used (in order of preference) during IKE negotiations and other IPsec settings. Each security method determines the security protocol (such as Authentication Header [AH] or Encapsulating Security Payload [ESP]), the specific cryptographic and hashing algorithms, and session key regeneration settings used. The filter action is configured on the Filter Action tab in the properties of an IPsec rule within an IPsec policy.
  • Authentication methods—One or more authentication methods are configured (in order of preference) and used for authentication of IPsec peers during main mode negotiations. The available authentication methods are the Kerberos V5 protocol, use of a certificate issued from a specified certification authority, or a preshared key. The authentication methods are configured on the Authentication Methods tab in the properties of an IPsec rule within an IPsec policy.
  • Tunnel endpoint—Specifies whether the traffic is tunneled and, if it is, the IP address of the tunnel endpoint. For outbound traffic, the tunnel endpoint is the IP address of the IPsec tunnel peer. For inbound traffic, the tunnel endpoint is a local IP address. The tunnel endpoint is configured on the Tunnel Setting tab in the properties of an IPsec rule within an IPsec policy.
  • Connection type—Specifies whether the rule applies to local area network (LAN) connections, dial-up connections, or both. The connection type is configured on the Connection Type tab in the properties of an IPsec rule within an IPsec policy.


The rules for a policy are displayed in reverse alphabetical order based on the name of the filter list selected for each rule. There is no method for specifying an order in which to apply the rules in a policy. IPsec for Windows automatically creates an IPsec filter list and orders the list based on the most specific to the least specific filter list. For example, a filter that specified individual IP addresses would be applied before a filter that specified all addresses on a subnet.

Q. What tools can I use to configure IPsec policy?
A.

IPsec policy is configured with the IPsec Policy Management snap-in for the Microsoft Management Console (MMC) on all versions of Windows that support IPsec. This snap-in can be used to configure both local computer and domain-based policy. This snap-in is also available from the Group Policy snap-in in Computer Configuration\Windows Settings\Security Settings.

The command line tool that you can use to configure IPsec policy depends on the version of Windows:

  • For Windows XP, use Ipseccmd.exe (for Windows XP Service Pack 2 use the updated version included in the Windows XP SP2 Support Tools for Advanced Users)
  • For Windows Vista, Windows Server 2008, or Windows Server 2003, use the commands in the netsh ipsec context


Q. When should the predefined policies be used?
A.The predefined policies should only be used for testing and research purposes. You should create your own IPsec policy when deploying IPsec in a production environment.

Q. What is an IP filter?
A.

An IP filter defines a specific set of IP traffic. The configuration parameters of an IP filter are the following:

  • Source address (individual address or address range)
  • Source address mask
  • Source TCP port
  • Source UDP port
  • Destination address (individual address or address range)
  • Destination address mask
  • Destination TCP port
  • Destination UDP port
  • IP protocol



Q. What is an IP filter list?
A.An IP filter list is a set of IP filters grouped together under a common name, typically for the purpose of applying a specific filter action.

Q. What are mirrored IP filters?
A.IPsec requires IP filters to define both directions the traffic between computers. Because most network communication is two-way, the Mirrored check box was added to the filter. This option automatically creates another IP filter that is identical, but for the traffic flowing in the opposite direction (the source and destination settings are switched).

Q. What is a filter action?
A.A filter action defines how IPsec will handle traffic. You can specify permit, block, or secure (known as Negotiate Security) filter actions. When you select the secure filter action, you must also specify security methods, authentication methods, connection type, and whether to use IPsec tunneling.

Q. What does the Allow unsecured communication with non-IPsec-aware computer check box on the Security Methods tab do?
A.Specifies whether to allow unsecured communications with computers that cannot negotiate the use of IPsec or process IPsec-secured traffic. You can use this option to secure traffic with computers on your network that are IPsec-capable while allowing unsecured communications with computers on your network that are not IPsec-capable. However, when you enable this option, unsecured traffic is allowed when IPsec negotiations with an IPsec-capable computer fail. .

Q. What does the Accept unsecured communication, but always respond using IPsec checkbox on the Security Methods tab do?
A.Specifies whether to accept initial unsecured traffic sent by another computer, but require secure communication when replying. This option is typically enabled on a policy that is assigned to server computers when the client computers have a policy assigned in which the default response rule is enabled. This simplifies IPsec deployment because the policy assigned to the client computers does not have to be configured with additional rules that initiate secured communication to all secured servers.

Q. What does the Session Key perfect forward secrecy checkbox on the Security Methods tab do?
A.Specifies whether you want to renegotiate new master key keying material each time a new session key is required. When session key perfect forward secrecy (PFS) is disabled, new session keys are derived from current master key keying material, subject to the number of times the master key keying material can be used to derive the session key. Although enabling session key perfect forward secrecy (PFS) provides greater security, performance and throughput might be impacted.

Q. What is the Default Response rule used for?
A.

The default response rule, which can be used for all policies, has the IP filter list of <Dynamic> and the filter action of Default Response when the list of rules is viewed with the IP Security Policies snap-in. The default response rule cannot be deleted, but it can be deactivated. It is activated by default for all policies.

The default response rule is used to ensure that the computer responds to requests for secure communication. If an active policy does not have a rule defined for a computer that is requesting secure communication, then the default response rule is applied and security is negotiated. For example, when Computer A communicates securely with Computer B, and Computer B does not have an inbound filter defined for Computer A, the default response rule is used.

When enabled on a client computer, the default response rule allows the client to start communicating in the clear to a server with the Accept unsecured communication, but always respond using IPsec option enabled. The server will respond with a negotiation request that, if successful, protects the rest of the traffic. Security methods and authentication methods can be configured for the default response rule. The filter list of <Dynamic> indicates that the filter list is not configured, but that filters are created automatically based on the receipt of IKE negotiation packets. The filter action of Default Response indicates that the action of the filter (Permit, Block, or Negotiate Security) cannot be configured. Negotiate Security will be used. However, you can configure:

  • The security methods and their preference order on the Security Methods tab.
  • The authentication methods and their preference order on the Authentication Methods tab.



Q. Why is there no netsh ipsec dump command?
A.

The netsh ipsec dump command was never implemented for two main reasons:

  • The general expectation is that netsh ipsec commands will be entered through a batch file; therefore most network administrators will already have a copy of their IPsec configuration.
  • Because of the way that IPsec filters are expanded and stored, a netsh ipsec dump command could not present the IPsec configuration in the exact form that it was originally entered.


Q. How are IPsec policies applied in the Active Directory ?
A.For computers that obtain their IPsec policy through Active Directory-based group policy, the IPsec policy applied is the one assigned to the Group Policy object (GPO) that is closest to the computer in the Active Directory domain structure, when following the domain structure up to the root of the domain. For example, if a computer is a member of an organizational unit (OU), then the IPsec policy assigned to that OU's GPO would be the one applied. However, if the OU's GPO does not have an assigned IPsec policy, then the computer will apply the IPsec policy assigned to the GPO in the next OU up the Active Directory tree towards the root.

The IPsec policies in different GPOs are not merged. Only one IPsec policy is applied, the one assigned with the closest GPO towards the root of the Active Directory tree.

Q. What are the default exemptions to policy?
A.

The default exemptions for IPsec is specified by the NoDefaultExempt registry value (located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC), which has the following possible settings:

  • 0—Specifies that multicast, broadcast, Resource Reservation Protocol (RSVP), Kerberos, and IKE (ISAKMP) traffic are exempt from IPsec filtering. This is the default filtering behavior for Windows 2000 and Windows XP.
  • 1—Specifies that Kerberos and RSVP traffic are not exempt from IPsec filtering, but multicast, broadcast, and IKE traffic are exempt. This is the recommended value for Windows 2000 and Windows XP.
  • 2—Specifies that multicast and broadcast traffic are not exempt from IPsec filtering, but RSVP, Kerberos, and IKE traffic are exempt. Supported only in Windows Server 2003.
  • 3—Specifies that only IKE traffic is exempt from IPsec filtering. Supported only in Windows Server 2003.

You can change the value of the NoDefaultExempt registry key in Window Server 2003 with the netsh ipsec dynamic set config ipsecexempt value={ 0 | 1 | 2 | 3} command.

For more information, see IPsec default exemptions are removed in Windows Server 2003.


Q. Should I use the IP Security Policies snap-in or command line tools?
A.Whether you configure IPsec policies with the IP Security Policies snap-in or command line tools depends on the complexity of your planned IPsec deployment. If you were creating a simple IPsec policy to secure traffic between two computers, you would probably choose to use the IP Security Policies snap-in to configure. If you have an existing Active Directory infrastructure, you can choose to store the IPsec policies in the Active Directory and deploy IPsec policy via GPOs. Command line configuration is most useful if the deployment involves individual computers; scripts for creating the IPsec policies can be used to quickly add the policies to the computers.

Q. What is the difference between persistent, dynamic, and static policy settings?
A.IPsec policy can be configured with persistent, dynamic, or static policies. Most commonly, IPsec is configured with a static IPsec policy. Static policies can be stored locally in the registry, or may be stored in Active Directory.

A persistent IPsec policy is a permanent IPsec policy setting that gets applied during the IPsec service startup. Persistent policies are stored in the registry. Persistent policies enhance security by providing a secure transition from computer startup to Active Directory-based or local computer IPsec policy enforcement. Persistent policies can be designed to be most restrictive IPsec policy with an Active Directory-based or local computer policy providing additional rules. Persistent policy can also be used to ensure that Active Directory traffic is always secured by IPsec, including the retrieval of Active Directory-based Group Policy settings.

Dynamic policy can be used to create, modify, and assign IPsec rules that take effect immediately and are not stored. If the IPsec service is stopped, dynamic policy settings are lost. However, settings applied when using the netsh ipsec dynamic set config commands are not lost.

Q. What do the policy export and import functions do?
A.The policy export option of the IP Security Policies snap-in allows all local IPsec policies to be exported and saved as a file with an .ipsec extension. An .ipsec file can also be imported using the IP Security Policies snap-in to add IPsec policies to another computer.

Q. Can you export a local IPsec policy and then import it into a Group Policy object?
A.Yes. After you have exported the local IPsec policy settings to a file, you can import it into a Group Policy object or another computer's local IPsec policy.

Q. How can I tell which IPsec policy is being applied to a specific Active Directory system container?
A.You can use Resultant Set of Policy (RSoP), an addition to Group Policy in Windows Server 2003 and Windows XP, to view IPsec policy assignments for a computer or for members of an Active Directory system container. For more information, see Using Resultant Set of Policy to view IPsec policy assignments.

Q. How can I tell which IPsec policy has been applied to my computer?
A.See the "Viewing IPsec policy assignment information" section of IPsec troubleshooting tools for information about determining the IPsec policy that has been applied to computers running Windows Server 2003, Windows XP, or Windows 2000.

Q. How can I tell which IPsec filter lists are active based on the IPsec policy applied to my computer?
A.

You can view the IPsec filter list with the IP Security Monitor snap-in provided with Windows XP and Windows Server 2003. To add the IP Security Monitor snap-in, do the following:

  1. Click Start, click Run, type MMC, and then click OK.
  2. Click File, click Add/Remove Snap-in, and then click Add.
  3. Click IP Security Monitor, and then click Add.
  4. Click Close, and then click OK.


To view the IPsec filter list, you need to open the Main Mode and Quick Mode folders in the console tree. In the Main Mode folder, click Specific Filters to view the filters in the IPsec filter list that require security., In the Quick Mode folder, click Specific Filters to view all of the filters in the IPsec filter list. For more information about the IPsec filter list, see IPsec Filter Ordering.

Q. How can I determine which IPsec policies use which IP filter lists and filter actions?
A.From the properties of the IPsec policy in the IP Security Policies snap-in, click the Rules tab to see the list of IP filter lists and filter actions that are used by the policy.

Q. How can I determine if an IP filter list or filter action is not being used by any IPsec policy?
A.There is no dialog box that lists IP filter lists or filter actions that are not being used by any IPsec policy. You must determine this manually by examining each IPsec policy for the IP filter lists and filter actions that are being used.

Q. Can I use IPsec to protect RPC traffic?
A.Yes. Because the TCP port being used for a Remote Procedure Call (RPC) communication is usually dynamically determined, you must create IP filters that specify the IP addresses of the communicating computers. However, the RPC traffic for an Active Directory client computer to a domain controller should not be secured.

Q. Can I use IPsec to secure multicast or broadcast traffic? What about blocking it?
A.No. IPsec does not secure multicast or broadcast traffic. However, you can configure IPsec to block multicast or broadcast traffic.

Q. How does IPsec for Windows determine filter ordering?
A.IPsec for Windows derives an IPsec filter list from the rules of the assigned IPsec policy. The IPsec filter list, which is derived from but different than the IP filter lists configured in the IPsec policy, is the end result of the policy configuration, specifying the exact set of interesting traffic and how it is to be handled. The IPsec filter list is ordered by a weight value, which is based on how specific the originally defined IP filter is; more specific IP filters will produce IPsec filters with a higher weight value. For more information, see IPsec Filter Ordering.

Q. What happens when filters conflict?
A.Conflicting IPsec filters contain the same value for addressing, ports, and the IP Protocol field value, but have different filter actions. For example, one IPsec filter may permit and the other IPsec filter may block. When there are conflicting IPsec filters, the IPsec filter with the most restrictive filter action is added to the IPsec filter list. The block filter action is more restrictive than the secure filter action, which is more restrictive than the permit filter action.

Q. What is IPsec certificate to account mapping and how do I configure it?
A.

With the Windows Server 2003 family, if you use either Kerberos V5 or certificate authentication, you can set restrictions on which computers are allowed to connect. This functionality allows you to use IPsec to allow or deny any of the following access to a server running Windows Server 2003:

  • Computers that are members of a specific domain.
  • Computers that have a certificate from a specific issuing certification authority.
  • A specific group of computers.
  • A specific computer.


When you enable certificate to account mapping in IPsec, the IKE protocol associates (maps) a computer certificate to a computer account in an Active Directory domain or forest, and then retrieves an access token, which includes the list of the user rights that are assigned to the computer. You can restrict access by configuring Group Policy security settings and assigning either the Access this computer from the network user right or the Deny access to this computer from the network user right to individual or multiple computers, as needed.

For more information about certificate to account mapping for IPsec, see Authentication methods.

Q. Do you need to exempt Domain Name System (DNS) traffic from being secured with IPsec?
A.Yes. You should create an exemption that permits DNS traffic (TCP port 53 and UDP port 53).

Q. Do you need to exempt NetBIOS over TCP/IP name resolution traffic from being secured with IPsec?
A.Yes. You should create an exemption that permits NetBIOS over TCP/IP name resolution traffic, commonly sent between client computers and Windows Internet Name Service (WINS) server computers (UDP port 137).

Q. Do I need to configure Windows Firewall for exceptions for IPsec traffic?
A.No. IPsec for Windows automatically creates the exceptions for IPsec negotiation traffic (UDP ports 500 and 4500) when the active IPsec policy requires secure traffic.



IPsec Deployment

Q. How do I include third-party hosts in a domain isolation deployment?
A.Third-party hosts are either IPsec-capable or not. If a third-party host is IPsec-capable, you can create a peer-to-peer IPsec connection between the third-party host and a Windows-based server. If a third-party host is not IPsec-capable, place the Windows servers that need to communicate with third-party hosts in the boundary zone. This solution can also be applied to IPsec-capable hosts. For more information, see the Interoperability Considerations for IPsec Server and Domain Isolation.white paper.

Q. How do I include Windows Preinstallation Environment (WinPE), Windows CE, Windows Mobile, and Internet Security and Acceleration (ISA) Server in a domain isolation deployment?
A.Computers running WinPE, Windows CE, or Windows Mobile should be treated as non-IPsec-capable hosts. See the answer to the question "How do I include third-party hosts in a domain isolation deployment?" on this page.

Q. How do I include visitor Windows-based computers (such as those used by partners or consultants) that are not members of the domain and configure access to specific servers that are domain members?
A.

You can either add the servers that the visiting computers need to access to the boundary zone, or you can use certificates for IPsec authentication to the specific servers and install computer certificates on the visiting computers. If the visiting computers are running Windows 2000 with Service Pack 3 or earlier, or versions of Windows prior to Windows 2000, you must add the servers that the visiting computers need to access to the boundary zone.

For more information, see the Interoperability Considerations for IPsec Server and Domain Isolation white paper.

Q. Can I use IPsec with clustered servers in a domain isolation environment?
A.Yes. IPsec is integrated with the Microsoft Network Load Balancing (NLB) service. For third-party clustered server solutions, the client security association (SA) times out after two minutes if one of the cluster nodes fails. However, the client will negotiate a new SA to a remaining cluster node.

Q. How do I configure IPsec to secure all traffic between domain controllers and domain members?
A.Configuring IPsec to secure all traffic between domain controllers and domain members is too complex to configure and manage on an ongoing basis and is not supported in Windows.

Q. Can I use third-party IPsec-based VPN clients with Windows?
A.Yes. However, some third-party VPN clients disable Windows IPsec when they install, which can create IPsec implementation coexistence issues. Microsoft is working with VPN vendors to achieve better coexistence compatibility for customers who need to use both implementations simultaneously.



IPsec and Credentials

Q. Why does Microsoft recommend against using preshared key authentication for IPsec?
A.The use of preshared key authentication is not recommended because it is a relatively weak authentication method. Preshared key authentication creates a master key that is less secure than digital certificates or the Kerberos V5 protocol. In addition, preshared keys are stored in plaintext and can be viewed by users with administrator-level privileges. Preshared key authentication is provided for interoperability purposes and to adhere to IPsec standards. It is recommended that you use preshared keys only for testing and that you use digital certificates or Kerberos V5 instead in a production environment.

Q. Why does IPsec use computer authentication and not user authentication?
A.IPsec is designed for computer-to-computer security services and is independent of the actual traffic being secured. User credentials are employed by Application layer components, rather than Network layer components. Additionally, IPsec might need to secure traffic before a user has logged on to the computer.

Q. What certificate attributes are required for IPsec to accept the certificate?
A.

IPsec requires the following attributes for certificates used in IPsec authentication:

  • Must contain an RSA public key that has a corresponding private key that can be used for RSA signatures
  • Cannot be expired
  • Must have been issued from a trusted root certification authority


For additional information, see the "IKE Main Mode and Quick Mode Negotiation" section of How IPsec Works.

Q. When performing authentication, why does IPsec for Windows not check the server name or IP address against the certificate?
A.Names cannot be mapped to certificates in a secure way with the Domain Name System (DNS) and Windows Internet Name Service (WINS) and IP addresses can change in a Dynamic Host Configuration Protocol (DHCP) environment.

Q. How do one-way domain trusts affect IPsec connectivity?
A.Authentications for IPsec security associations are mutual (two-way). Each IPsec peer must present credentials that the other IPsec peer validates. If your IPsec rules are configured for Kerberos authentication and there are two IPsec peers that are in different domains with a one-way trust, the IPsec peers will be unable to perform mutual authentication. One IPsec peer will be able to authenticate (the peer in the domain that trusts the other peer's domain), but the other IPsec peer will not be able to authenticate and the authentication will fail. If you configure your IPsec rules for authentication, then one-way trusts do not affect IPsec authentication.



IPSec Encryption and Integrity

Q. Is Advanced Encryption Standard (AES) encryption supported?
A.AES is supported in Windows Vista and Windows Server 2008 with 128, 192, and 256-bit key sizes. Windows XP, Windows Server 2003, and Windows 2000 do not support AES.

Q. Why would I use Triple Data Encryption Standard (3DES) over DES encryption?
A.Triple Data Encryption Standard is recommended because it is more secure than DES. Use DES when securing traffic to third-party IPsec peers that do not support 3DES. Windows XP, Windows Server 2003, and Windows 2000 (Service Pack 1 and higher) support 3DES. .

Q. Why would I use Secure Hash Algorithm 1 (SHA1) over Message Digest 5 (MD5) for hashing?
A.SHA1 is recommended because it is more secure than MD5. Use MD5 when securing traffic to third-party IPsec peers that do not support SHA1. Windows XP, Windows Server 2003, and Windows 2000 (Service Pack 1 and higher) support SHA1. .



IPSec Performance

Q. How many simultaneous IPsec connections can be sustained on a basic server computer?
A.

Results vary because there are many factors affecting the performance of IPsec such as processor speed and the types of network adapters. In Microsoft testing, the following results were achieved on an Intel Pentium III-based computer, running at 993 MHz, and with 384 MB of RAM:

Time between initiated negotiations (ms)Security associations (SAs) established (SAs/sec)

250

15.79762

200

19.27202

150

19.38969

100

17.99813

50

18.7118

0

5.49884



The most time and processor-intensive part of an IPsec-secured connection is the main mode negotiation, from which the master key is derived.

Q. What is IPsec offload? What effect does it have on performance?
A.IPsec offload is the offloading of IPsec cryptographic calculations to high-performance firmware on network adapters, rather than having those calculations being performed using the computer's processor. Some IPsec offload adapters can perform DES, 3DES, SHA1 HMAC, MD5 HMAC, and even Diffie-Hellman key determination calculations. Using IPsec offload adapters can have a significant impact on performance.

Q. Can I use IPsec with network load balancing (NLB)? Can we use IPsec with Microsoft Cluster Server (MSCS)?
A.Yes. IPsec for Windows supports NLB and MSCS cluster scenarios. However, IPsec sessions do not fail over. For more information, see IPsec is not designed for failover.

Q. What are the available IPsec offload network adapters?
A.The Intel Pro 100 S and 3Com 10/100 S network adapters support IPsec offload.



IPsec Monitoring

Q. What performance counters are available?
A.There are no performance counters in current versions of Windows to monitor IPsec-secured traffic.
Q. What monitoring tools can I use for IPsec?
A.For computers running Windows 2000, you can use the IP Security Monitor tool. Click Start, click Run, type ipsecmon.exe, and then click OK.

For computers running Windows XP or Windows Server 2003, you can use the IP Security Monitor snap-in. For more information, see To start the IP Security Policy Management snap-in.

For computers running Windows XP, you can use the ipseccmd \\computer show all command.

For computers running Windows Server 2003, you can use the netsh ipsec static show or netsh ipsec dynamic show commands.

Q. How can I view my current IPsec security associations (SAs)?
A.For computers running Windows 2000, you can use the IP Security Monitor tool. Click Start, click Run, type ipsecmon.exe, and then click OK SAs are listed in the Security Associations portion of the IP Security Monitor window.

For computers running Windows XP or Windows Server 2003, you can use the IP Security Monitor snap-in. For more information, see To start the IP Security Policy Management snap-in.

For computers running Windows XP, you can use the ipseccmd\\computershow all command.

For computers running Windows Server 2003, you can use the netsh ipsec static show or netsh ipsec dynamic show commands.

Q. How can you verify that IPsec is active and working?
A.You can verify that the IPsec service has been started through the net start command. For computers running Windows XP or Windows Server 2003, look for "IPSEC Services" in the list of started services. For computers running Windows 2000, look for "IPSEC Policy Agent" in the list of started services. To start the IPsec service, type net start ipsec or use the services snap-in.



IPsec Troubleshooting

Q. Where can I find Ipseccmd.exe?
A.Ipseccmd.exe is included with Windows XP with no service packs installed and Windows XP with Service Pack 1. For Windows XP with Service Pack 2, you can obtain a new version of Ipseccmd.exe from Windows XP SP2 Support Tools for Advanced Users.
Q. How do you turn on Oakley logging? Where is the log file stored?
A.

The Oakley log records all IKE (ISAKMP) main mode and quick mode negotiations. To enable Oakley logging, do the following:

  • For computers running Windows 2000, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Oakley\EnableLogging registry setting to 1. The Oakley key does not exist by default and must be created.
  • For computers running Windows XP, use the ipseccmd set logike command.
  • For computers running Windows Server 2003, use the netsh ipsec dynamic set config ikelogging 1 command.

The Oakley log is stored in the systemroot\Debug folder. A new Oakley.log file is created each time the IPsec policy agent is started and the previous version of the Oakley.log file is saved as Oakley.log.sav.

Q. When should I get an Oakley log for troubleshooting?
A.Whenever asked by a network administrator or a Microsoft support engineer.

Q. How can I interpret the contents of the Oakley log?
A.Interpreting the contents of the Oakley log requires a detailed understanding of the IPsec protocols. The recommendation is that you forward your Oakley logs to Microsoft support engineers for analysis.

Q. How do I troubleshoot communications that are encrypted by IPsec?
A.Because the IP payloads have been encrypted with IPsec, it is not possible to perform troubleshooting based on the contents of IPsec-protected packet payloads. For example, you cannot use an intermediate router or firewall to capture and interpret IPsec-protected packets. You can perform some troubleshooting based on the presence of encrypted packets, how many are sent, and when they are sent.

Q. Can I use Microsoft Network Monitor to troubleshoot IPsec traffic?
A.Yes. Network Monitor is included with Microsoft Systems Management Server, Windows 2000 Server, and Windows Server 2003 and features protocol parsers for IKE (displayed as ISAKMP), AH, and ESP. Microsoft Network Monitor 3.1 is available as a free download from Microsoft. However, Network Monitor does not parse the encrypted portions of IPsec-protected traffic.

Q. What settings do I need to enable IPsec event logging?
A.

You can use the Windows XP Event Viewer snap-in to view the following IPsec-related events:

  • IPsec Policy Agent events in the audit log.
  • IPsec driver events in the system log. To enable IPsec driver event logging, set the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ IPSEC\DiagnosticMode registry setting to 1. You must restart the computer for this change to take effect. The IPsec driver only writes events to the system log once an hour.
  • IKE events (SA details) in the audit log. To view these events, enable success or failure auditing for the Audit logon events audit policy for your domain or local computer.
  • IPsec policy change events in the audit log. To view these events, enable success or failure auditing for the Audit policy change audit policy for your domain or local computer.



Q. How does IPsec work with network address translators (NATs)?
A.IPsec Network Address Translator Traversal (NAT-T), a new IETF standard, allows IPsec negotiation and encapsulation of ESP-protected payloads. For more information about how IPsec NAT-T works, see IPsec NAT Traversal Overview.

Windows XP Service Pack 2 and Windows Server 2003 have built-in support for IPsec NAT-T. L2TP/IPsec NAT-T update for Windows XP and Windows 2000, a free download, provides support for computers running Windows XP with no service packs installed, Windows XP with Service Pack 1, and Windows 2000.



IPsec Technical Details

Q. What are the IPsec binaries?
A.The IPsec driver file is Ipsec.sys. The IKE component is Oakley.dll.

Q. How do I remove all local IPsec policy settings?
A.

You can remove static local IPsec policy settings with the following:

  • The IP Security Policies snap-in for Windows 2000, Windows XP, or Windows Server 2003
  • The Ipseccmd.exe tool for Windows XP
  • Commands in the netsh ipsec static context for Windows Server 2003



Q. What is the difference between ESP with authentication only and AH?
A.AH provides data origin authentication and data integrity for the entire IP packet (with the exception of some fields in the IP header that must change in transit). ESP with authentication only (also known as ESP null) provides data origin authentication and data integrity for only the IP payload.

Q. Why would you want both AH and ESP?
A.ESP provides data confidentiality, data origin authentication, and data integrity for the IP payload. ESP does not provide data origin authentication and data integrity for the IP header. If you want to protect the IP header for ESP-encrypted packets, you must use both AH and ESP. By protecting the IP header, you can detect and eliminate most types of network attacks that rely on the spoofing of IP addresses.

Q. What is IPsec main mode negotiation?
A.

The negotiation of a secured IPsec session has two distinct phases: main mode and quick mode. The main mode negotiation creates a bidirectional main mode SA (also known as an ISAKMP SA), which is a secure channel through which the quick mode negotiation and all future IKE traffic takes place.

Main mode negotiation accomplishes the following:

  • Negotiates security parameters for IKE traffic. These parameters include the authentication method, lifetime of the main mode SA, the Diffie-Hellman group to be used to generate a shared secret, and how the IKE traffic is to be protected (encryption and HMAC algorithms).
  • Exchanges Diffie-Hellman keying material. For a set of publicly exchanged keys, a mutually determined secret key is calculated.
  • Authenticates the identities of the IPsec peers (Kerberos, digital certificates, or preshared key).



Q. What is IPsec quick mode negotiation?
A.IPsec quick mode negotiation creates the unidirectional quick mode SAs (also known as IPsec SAs), to secure data traffic. During negotiation, the IPsec peers determine the specific encryption algorithm, hashing algorithms, the use of ESP or AH (or both), whether to use transport or tunnel, and a description of the traffic to protect. All quick mode negotiation messages are protected with the main mode SA previously established. Each successful quick mode negotiation establishes two IPsec SAs. One SA is for inbound traffic and the other is for outbound traffic.

Q. What are IKE, Oakley, and ISAKMP and how do they relate?
A.Internet Key Exchange (IKE) is used to dynamically establish SAs between IPsec peers. IKE is a hybrid of three protocols that is based on a framework defined by the Internet Security Association and Key Management Protocol (ISAKMP) and implements parts of two key management protocols: Oakley and SKEME.

IKE uses ISAKMP to define how two peers communicate, including the packet formats, retransmission timers, and message construction requirements. IKE uses both Oakley and SKEME to provide the mechanism and management of key exchanges.

Q. What is IPsec transport mode?
A.IPsec transport mode provides the protection of an IP payload through an AH or ESP header. Typical IP payloads are TCP segments (containing a TCP header and TCP segment data), a UDP message (containing a UDP header and UDP message data), and an Internet Control Message Protocol (ICMP) message (containing an ICMP header and ICMP message data).

Q. What is IPsec tunnel mode?
A.IPsec tunnel mode provides the protection of an entire IP packet by treating it as an AH or ESP payload. With tunnel mode, an entire IP packet is encapsulated with an AH or ESP header and an additional IP header. The IP addresses of the outer IP header are the tunnel endpoints, and the IP addresses of the encapsulated IP header are the ultimate source and destination addresses.

Q. How do I configure a router-based firewall to allow IPsec for Windows traffic?
A.

Configure your router-based firewall to allow the following:

  • UDP port 500 (IKE traffic)
  • UDP port 4500 (IPsec NAT-T traffic)
  • IP protocol 50 (ESP-protected traffic)
  • IP protocol 51 (AH-protected traffic)



Q. What are the IPsec registry keys?
A.The main IPsec policy and configuration details are stored under HKEY_LOCAL_COMPUTER\SOFTWARE\Policies\Microsoft\windows\IPsec. For information about IPsec registry keys, see IPsec Tools and Settings.

Q. How are IPsec and IKE traffic affected by IP fragmentation?
A.IPsec and IKE communication is not adversely affected by IP fragmentation. IPsec does not fragment or reassemble packets. Outbound IPsec packets are passed down to the IP layer for processing. For inbound traffic, IPsec for Windows receives a reassembled packet.

Q. Is there a trusted man-in-the-middle attack against IPsec?
A.IPsec is vulnerable to a trusted man-in-the-middle attack if someone gains access to the private information that the IPsec peers use to authenticate each other. The risk of this attack is higher if preshared keys are used as the authentication method. For this reason, Microsoft recommends that preshared keys be used only in test environments. If certificates are used as the authentication method, the risk of a man-in-the-middle attack is significantly reduced.

Q. What is the idle timeout for quick mode SAs?
A.If a quick mode SA is not used to secure traffic for a specific period of time, it is removed and a new SA is negotiated. This timeout period is 5 minutes.

Q. If the quick mode SAs are unidirectional, why is there only one SA between IPsec peers listed in the IPsec Monitor snap-in?
A.Only one quick mode SA is displayed because the IPsec Monitor snap-in does not show directional information for quick mode SAs.

Q. When IPsec peers are separated by a NAT, will IPsec negotiation happen over UDP port 4500 or UDP port 500?
A.When peers negotiate a main mode SA across a NAT, only the initial IKE message from the initiating IPsec peer uses UPD port 500. All other IKE traffic is sent over UDP port 4500.

Q. How does the faster failover for IPsec with Network Load Balancing (NLB) and Microsoft Cluster Server (MSCS) work?
A.For computers running Windows Server 2003, the IKE component has the ability to detect if a peer is a member node of a cluster. If so, IKE changes the default quick mode SA timeout from 5 minutes to 1 minute. If the current cluster node fails, any SAs established to the failed node will timeout after 1 minute and IKE will re-establish an IPsec-secured session with a new cluster node.

Q. How does IKE in IPsec for Windows behave in an IKE-based denial of service attack?
A.IKE limits the number of outstanding main mode negotiations and the number of established main mode negotiations. If there is an established main mode SA, IKE limits the outstanding main mode SAs to five per IP address/port pair. If there is no established main mode SA, IKE limits the outstanding main mode SAs to 35 per IP address. If this limit is hit, IKE will drop all initial negotiation messages from that peer until an outstanding SA for that peer has failed, timed out, or been established.

Q. How does authenticated IPsec bypass work for Windows Firewall?
A.The Windows Firewall: Allow authenticated IPsec bypass Group Policy setting allows you to specify that the Windows Firewall does not process IPsec-secured traffic from specified computers. This can improve performance for computers that are using both Windows Firewall and IPsec.

Q. What is the difference between ESP with encryption and ESP (Null)?
A.ESP with encryption uses an encryption algorithm (DES or 3DES) to provide data confidentiality, data origin authentication, and data integrity for the ESP payload. ESP (Null), also known as ESP with no encryption, provides only data origin authentication and data integrity for the ESP payload.



Top of pageTop of page