Add, edit, or remove IPSec rules

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To add, edit, or remove IPSec rules

  1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.

  2. Double-click the policy that you want to modify.

  3. To add a rule, decide whether you want to use the Create IP Security Rule Wizard or add the rule manually:

    • To add a rule by using the Create IP Security Rule Wizard, confirm that the Use Add Wizard check box is selected, click Add, and then follow the instructions.

    • To add a rule manually, confirm that the Use Add Wizard check box is cleared, click Add, and then define settings on the IP Filter List, Filter Action, Authentication Methods, Tunnel Setting, and Connection Type tabs.

  4. To edit a rule, select the rule that you want to edit, click Edit, and then modify the rule properties as needed.

  5. To remove a rule, select the rule that you want to remove, and then click Remove.

Notes

  • To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.

  • To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.

  • New rules are automatically applied to the policy being edited or created.

  • The rules for a policy are displayed in IP Security Policies in reverse alphabetical order, based on the name of the filter list selected for each rule. There is no method to specify an order in which to apply the rules in a policy. The IPSec driver automatically orders the rules based on the most specific filter list to the least specific filter list. For example, the IPSec driver places a rule containing a filter list that specifies individual IP addresses and TCP ports above a rule containing a filter list that specifies all addresses on a subnet.

  • The default response rule is automatically added to every new IPSec policy. If you do not want this rule to be part of your policy, you can deactivate it by clearing the check box next to <Dynamic>. The default response rule cannot be removed.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start the IP Security Policy Management snap-in
Open MMC
Activate or deactivate IPSec rules
Add, edit, or remove filter actions
Define IPSec authentication methods
IPSec Policy Rules
Working with MMC console files