IPsec Advanced Settings
Applies To: Windows Server 2008 R2
Internet Protocol Security (IPsec) is a protocol that provides authentication and data encryption at the IP packet layer. The Internet Key Exchange (IKE) protocol is used between the peers to allow the peers to authenticate each other and negotiate the packet encryption and authentication mechanisms to be used for the connection. Since the Microsoft iSCSI Initiator uses the Windows TCP/IP stack, it can use all of the functionality available in this stack. For authentication, this includes pre-shared keys, Kerberos, and certificates. Active Directory can be used to distribute the IPsec filters to the Microsoft iSCSI Initiator computers. Triple DES (3DES) and Hash Message Authentication Code – Secure Hash Algorithm 1 HMAC-SHA1 are also supported, as are tunnel and transport modes.
Because an iSCSI host bus adapter (HBA) has its own TCP/IP stack embedded in the adapter, the iSCSI HBA has its own implementation of IPsec and IKE, which means that the functionality of the iSCSI HBA may vary. At a minimum, it supports pre-shared keys, 3DES, and HMAC-SHA1. The Microsoft iSCSI Initiator service has a common application programming interface (API) that is used for configuring IPsec, both for the Microsoft iSCSI Initiator and for the iSCSI HBA.