Skip to main content
Configuration 3: Using IPsec Between Two Local-link Hosts

This configuration creates an IPsec Security Association (SA) between two hosts on the same subnet to perform authentication using the Authentication Header (AH) and the Message Digest 5 (MD5) hashing algorithm. In this example, the configuration shown secures all traffic between two neighboring hosts: Host 1, with the link-local address FE80::2AA:FF:FE53:A92C, and Host 2, with the link-local address FE80::2AA:FF:FE92:D0F1.

ms737602.wedge(en-us,VS.85).gifTo use IPsec between two local-link hosts

  1. On Host 1, create blank security association (SAD) and security policy (SPD) files by using the ipsec6 c command. In this example, the Ipsec6.exe command is ipsec6 c test. This creates two files to manually configure security associations (Test.sad) and security policies (Test.spd).
  2. On Host 1, edit the SPD file to add a security policy that secures all traffic between Host 1 and Host 2.

    The following table shows the security policy added to the Test.spd file before the first entry for this example (the first entry in the Test.spd file was not modified).

    SPD file field nameExample value
    Policy2
    RemoteIPAddrFE80::2AA:FF:FE92:D0F1
    LocalIPAddr*
    RemotePort*
    Protocol*
    LocalPort*
    IPSecProtocolAH
    IPSecModeTRANSPORT
    RemoteGWIPAddr*
    SABundleIndexNONE
    DirectionBIDIRECT
    ActionAPPLY
    InterfaceIndex0

     

    Place a semicolon at the end of the line configuring this security policy. The policy entries must be placed in decreasing numerical order.

  3. On Host 1, edit the SAD file, adding SA entries to secure all traffic between Host 1 and Host 2. Two security associations must be created, one for traffic to Host 2 and one for traffic from Host 2.

    The following table shows the first SA entry added to the Test.sad file for this example (for traffic to Host 2).

    SAD file field nameExample value
    SAEntry2
    SPI3001
    SADestIPAddrFE80::2AA:FF:FE92:D0F1
    DestIPAddrPOLICY
    SrcIPAddrPOLICY
    ProtocolPOLICY
    DestPortPOLICY
    SrcPortPOLICY
    AuthAlgHMAC-MD5
    KeyFileTest.key
    DirectionOUTBOUND
    SecPolicyIndex2

     

    Place a semicolon at the end of the line configuring this SA.

    The following table shows the second SA entry added to the Test.sad file for this example (for traffic from Host 2).

    SAD file field nameExample value
    SAEntry1
    SPI3000
    SADestIPAddrFE80::2AA:FF:FE53:A92C
    DestIPAddrPOLICY
    SrcIPAddrPOLICY
    ProtocolPOLICY
    DestPortPOLICY
    SrcPortPOLICY
    AuthAlgHMAC-MD5
    KeyFileTest.key
    DirectionINBOUND
    SecPolicyIndex2

     

    Place a semicolon at the end of the line configuring this SA. The SA entries must be placed in decreasing numerical order.

  4. On Host 1, create a text file that contains a text string used to authenticate the SAs created with Host 2. In this example, the file Test.key is created with the contents "This is a test". You must include double quotes around the key string in order for the key to be read by the ipsec6 tool.

    The Microsoft IPv6 Technology Preview only supports manually configured keys for the authentication of IPsec SAs. The manual keys are configured by creating text files that contain the text string of the manual key. In this example, the same key for the SAs is used in both directions. You can use different keys for inbound and outbound SAs by creating different key files and referencing them with the KeyFile field in the SAD file.

  5. On Host 2, create blank security association (SAD) and security policy (SPD) files by using the ipsec6 c command. In this example, the Ipsec6.exe command is ipsec6 c test. This creates two files with blank entries for manually configuring security associations (Test.sad) and security policies (Test.spd).

    To simplify the example, the same file names for the SAD and SPD files are used on Host 2. You can choose to use different file names on each host.

  6. On Host 2, edit the SPD file to add a security policy that secures all traffic between Host 2 and Host 1.

    The following table shows the security policy entry added before the first entry to the Test.spd file for this example (the first entry in the Test.spd file was not modified).

    SPD file field nameExample value
    Policy2
    RemoteIPAddrFE80::2AA:FF:FE53:A92C
    LocalIPAddr*
    RemotePort*
    Protocol*
    LocalPort*
    IPSecProtocolAH
    IPSecModeTRANSPORT
    RemoteGWIPAddr*
    SABundleIndexNONE
    DirectionBIDIRECT
    ActionAPPLY
    InterfaceIndex0

     

    Place a semicolon at the end of the line configuring this security policy. The policy entries must be placed in decreasing numerical order.

  7. On Host 2, edit the SAD file, adding SA entries to secure all traffic between Host 2 and Host 1. Two security associations must be created-one for traffic to Host 1 and one for traffic from Host 1.

    The following table shows the first SA added to the Test.sad file for this example (for traffic from Host 1).

    SAD file field nameExample value
    SAEntry2
    SPI3001
    SADestIPAddrFE80::2AA:FF:FE92:D0F1
    DestIPAddrPOLICY
    SrcIPAddrPOLICY
    ProtocolPOLICY
    DestPortPOLICY
    SrcPortPOLICY
    AuthAlgHMAC-MD5
    KeyFileTest.key
    DirectionINBOUND
    SecPolicyIndex2

     

    Place a semicolon at the end of the line configuring this SA.

    The following table shows the second SA entry added to the Test.sad file for this example (for traffic to Host 1).

    SAD file field nameExample value
    SAEntry1
    SPI3000
    SADestIPAddrFE80::2AA:FF:FE53:A92C
    DestIPAddrPOLICY
    SrcIPAddrPOLICY
    ProtocolPOLICY
    DestPortPOLICY
    SrcPortPOLICY
    AuthAlgHMAC-MD5
    KeyFileTest.key
    DirectionOUTBOUND
    SecPolicyIndex2

     

    Place a semicolon at the end of the line configuring this SA. The SA entries must be placed in decreasing numerical order.

  8. On Host 2, create a text file that contains a text string used to authenticate the SAs created with Host 1. In this example, the file Test.key is created with the contents "This is a test". You must include double quotes around the key string in order for the key to be read by the ipsec6 tool.
  9. On Host 1, add the configured security policies and SAs from the SPD and SAD files using the ipsec6 a command. In this example, the ipsec6 a test command is run on Host 1.
  10. On Host 2, add the configured security policies and SAs from the SPD and SAD files by using the ipsec6 a command. In this example, the ipsec6 a test command is run on Host 2.
  11. Ping Host 1 from Host 2 with the ping6 command.

    If you capture the traffic using Microsoft Network Monitor or another packet sniffer, you should see the exchange of ICMPv6 Echo Request and Echo Reply messages with an Authentication Header between the IPv6 header and the ICMPv6 header.

Related topics

Recommended Configurations for IPv6
Single subnet with link-local addresses
IPv6 traffic between nodes on different subnets of an IPv4 internetwork (6to4)