IPSec Policy Rules

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

IPSec policy rules

An IPSec policy consists of one or more rules that determine IPSec behavior. IPSec rules are configured on the Rules tab in the properties of an IPSec policy. Each IPSec rule contains the following configuration items:

  • Filter list

    A single filter list is selected that contains one or more predefined packet filters that describe the types of traffic to which the configured filter action for this rule is applied. The filter list is configured on the IP Filter List tab in the properties of an IPSec rule within an IPSec policy.

  • Filter action

    A single filter action is selected that includes the type of action required (Permit, Block, or Negotiate Security) for packets that match the filter list. For the Negotiate Security filter action, the negotiation data contains one or more security methods that are used (in order of preference) during IKE negotiations and other IPSec settings. Each security method determines the security protocol (such as AH or ESP), the specific cryptographic and hashing algorithms, and session key regeneration settings used. The filter action is configured on the Filter Action tab in the properties of an IPSec rule within an IPSec policy.

  • Authentication methods

    One or more authentication methods are configured (in order of preference) and used for authentication of IPSec peers during main mode negotiations. The available authentication methods are the Kerberos V5 protocol, use of a certificate issued from a specified certification authority, or a preshared key. The negotiation data is configured on the Authentication Methods tab in the properties of an IPSec rule within an IPSec policy.

    Important

    • The use of preshared key authentication is not recommended because it is a relatively weak authentication method. Preshared key authentication creates a master key that is less secure (that might produce a weaker form of encryption) than certificates or the Kerberos V5 protocol. In addition, preshared keys are stored in plaintext. Preshared key authentication is provided for interoperability purposes and to adhere to IPSec standards. It is recommended that you use preshared keys only for testing and that you use certificates or Kerberos V5 instead in a production environment.
  • Tunnel endpoint

    Specifies whether the traffic is tunneled and, if it is, the IP address of the tunnel endpoint. For outbound traffic, the tunnel endpoint is the IP address of the IPSec tunnel peer. For inbound traffic, the tunnel endpoint is a local IP address. The tunnel endpoint is configured on the Tunnel Setting tab in the properties of an IPSec rule within an IPSec policy. For more information, see Tunnel mode.

  • Connection type

    Specifies whether the rule applies to local area network (LAN) connections, dial-up connections, or both. The connection type is configured on the Connection Type tab in the properties of an IPSec rule within an IPSec policy.

The rules for a policy are displayed in IP Security Policies in reverse alphabetical order based on the name of the filter list selected for each rule. There is no method for specifying an order in which to apply the rules in a policy. The IPSec driver automatically orders the rules based on the most specific to the least specific filter list. For example, the IPSec driver would apply a rule containing a filter list that specified individual IP addresses and TCP ports before a rule containing a filter list that specified all addresses on a subnet.

Default response rule

The default response rule, which can be used for all policies, has the IP filter list of <Dynamic> and the filter action of Default Response when the list of rules is viewed with the IP Security Policy Management console. The default response rule cannot be deleted, but it can be deactivated. It is activated by default for all policies.

The default response rule is used to ensure that the computer responds to requests for secure communication. If an active policy does not have a rule defined for a computer that is requesting secure communication, then the default response rule is applied and security is negotiated. For example, when Computer A communicates securely with Computer B, and Computer B does not have an inbound filter defined for Computer A, the default response rule is used.

Security methods and authentication methods can be configured for the default response rule. The filter list of <Dynamic> indicates that the filter list is not configured, but that filters are created automatically based on the receipt of IKE negotiation packets. The filter action of Default Response indicates that the action of the filter (Permit, Block, or Negotiate security) cannot be configured. Negotiate Security will be used. However, you can configure:

  • The security methods and their preference order on the Security Methods tab.

  • The authentication methods and their preference order on the Authentication Methods tab.