Allow Inbound IPSec (IPv6) Traffic to Private Hosts

By default, the firewall blocks IPSec traffic just like any other inbound traffic. You can configure the firewall to allow inbound IPSec traffic to specific private hosts or to all private hosts by allowing rules for IP_PROTOCOL_AH (51) and IP_PROTOCOL_ESP (50) protocols, and creating an ALLOW rule for the Internet Key Exchange (IKE) packets (UDP port 500).

The following table shows how the members in this structure can be used to allow all inbound IPv6 IPSec traffic, including IKE, to all private hosts.

dwFlags PrivateHost.Family Protocol Port
FWF_ALLOW | FWF_INBOUND AF_INET6 IP_PROTOCOL_AH Not applicable
FWF_ALLOW | FWF_INBOUND AF_INET6 IP_PROTOCOL_ESP Not applicable
FWF_ALLOW | FWF_INBOUND AF_INET6 IP_PROTOCOL_UDP 500

Registry entries for the rule

The following registry example shows the registry entries for this rule.

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundAH]
    "Mask"=dword:20         ; FWM_PROTOCOL 
    "Flags"=dword:A         ; FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:17,00         ; AF_INET6
    "Protocol"=dword:33     ; IP_PROTOCOL_AH

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundESP]
    "Mask"=dword:20         ; FWM_PROTOCOL 
    "Flags"=dword:A         ; FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:17,00         ; AF_INET6
    "Protocol"=dword:32     ; IP_PROTOCOL_ESP

[HKEY_LOCAL_MACHINE\COMM\Firewall\Rules\InboundUDP]
    "Mask"=dword:24         ; FWM_PROTOCOL | FWM_PORT
    "Flags"=dword:A         ; FWF_ALLOW | FWF_INBOUND
    "PrivateHost"=hex:17,00         ; AF_INET6
    "Protocol"=dword:11         ; IP_PROTOCOL_UDP
    "Port"=dword:1F4         ; 500

Code example to create the rule

The following code example shows this rule.

    FW_RULE InboundAH;
    // The following fields must always be set.
    InboundAH.dwSize = sizeof(FW_RULE);
    InboundAH.dwFlags = FWF_ALLOW | FWF_INBOUND;
    InboundAH.dwMask |= FWM_PROTOCOL;
    InboundAH.PrivateHost.Family = AF_INET6;
    InboundAH.wszDescription = L"Allows inbound AH packets";
    
    // Protocol.
    InboundAH.Protocol = IP_PROTOCOL_AH; 
     
    // Create a persistent rule.
    FirewallCreateRule(&InboundAH, TRUE); 

    FW_RULE InboundESP;
    // The following fields must always be set.
    InboundESP.dwSize = sizeof(FW_RULE);
    InboundESP.dwFlags = FWF_ALLOW | FWF_INBOUND;
    InboundESP.dwMask = FWM_PROTOCOL;
    InboundESP.PrivateHost.Family = AF_INET6;
    InboundESP.wszDescription = L"Allows inbound ESP packets";
    
    // Protocol.
    InboundESP.Protocol = IP_PROTOCOL_ESP; 
     
    // Create a persistent rule.
    FirewallCreateRule(&InboundESP, TRUE); 


    FW_RULE InboundUDP;
    // The following fields must always be set.
    InboundUDP.dwSize = sizeof(FW_RULE);
    InboundUDP.dwFlags = FWF_ALLOW | FWF_INBOUND;
    InboundUDP.dwMask = 0; //initialize to zero
    InboundUDP.PrivateHost.Family = AF_INET6;
    InboundUDP.wszDescription = L"Allows inbound Internet Key Exchange (UDP) packets";
    
    // Protocol.
    InboundUDP.dwMask |= FWM_PROTOCOL;
    InboundUDP.Protocol = IP_PROTOCOL_UDP; 
    
    // Port.    
    InboundUDP.dwMask |= FWM_PORT;
    InboundUDP.PortMin = 500;
    InboundUDP.PortMax = 500;
     
    // Create a persistent rule.
    FirewallCreateRule(&InboundUDP, TRUE); 

See Also

General Firewall Rule Examples

 Last updated on Tuesday, May 18, 2004

© 1992-2003 Microsoft Corporation. All rights reserved.