Add, edit, or remove IPSec security methods

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To add, edit, or remove IPSec security methods

  1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.

  2. Double-click the policy that you want to modify.

  3. Double-click the rule that you want to modify, and then click the Filter Actiontab.

  4. Double-click the filter action that you want to modify.

  5. On the Security Methods tab, click Negotiate security, and then do one of the following:

    • To add a new security method, click Add.

    • To modify an existing security method, click the security method that you want to modify, and then click Edit.

    • To remove a security method, click the security method that you want to remove, and then click Remove.

  6. If you are adding or modifying a security method, on the Security Method tab, select the security level:

    • To use the ESP protocol to provide data confidentiality (encryption) with the triple Data Encryption Standard (3DES) algorithm, data integrity and authentication with the Secure Hash Algorithm 1 (SHA1) integrity algorithm, and default key lifetimes (100MB, 1 hour), click Integrity and Encryption.

    • To use the ESP protocol to provide data integrity and authentication with the SHA1 integrity algorithm and default key lifetimes (100MB, 1 hour), click Integrity only. ESP is not configured to provide data confidentiality (encryption).

    • Click Custom, and then click Settings to configure a custom security method or key lifetimes. For more information, see Related Topics.

  7. Repeat this procedure to configure additional security methods for the filter action.

Notes

  • To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.

  • To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.

  • Computers running Windows 2000 must have the High Encryption Pack or Service Pack 2 (or later) installed in order to use the 3DES algorithm. If a computer running Windows 2000 receives a 3DES setting, but does not have the High Encryption Pack or Service Pack 2 (or later) installed, the 3DES setting in the security method is set to the weaker DES, to provide some level of confidentiality for communication, rather than blocking all communication. However, you should only use DES as a fallback option if not all computers in your environment support the use of 3DES. Computers running Windows XP or a Windows Server 2003 server operating system support 3DES and do not require installation of the High Encryption Pack.

  • Click Move up to move the selected security method up one level. Repeat until the security method is at the required preference level.

  • Click Move down to move the selected security method down one level. Repeat until the security method is at the required preference level.

  • For information about how key lifetimes affect security, see Filter action in Related Topics.

  • When negotiating security, the initiator proposes this list of security methods to the responder. The responder agrees to the first method (from the top down) that is found anywhere in its own security methods list. If none of the proposed security methods match an entry in the responder's list, then the responder fails the negotiation.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start the IP Security Policy Management snap-in
Open MMC
Configure custom IPSec security methods
Define IPSec Key Exchange Settings
Filter action
Working with MMC console files