Creating and Using IPsec Policies
Applies To: Windows Server 2008
Internet Protocol security (IPsec) is a framework of open standards for ensuring private, secure communications over IP networks through the use of cryptographic security services. The Microsoft Windows implementation of IPsec is based on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.
IPsec establishes trust and security from a source IP address to a destination IP address. The only computers that must know about the traffic being secured are the sending and receiving computers. Each computer handles security at its respective end with the assumption that the medium over which the communication takes place is not secure. Computers that only route data from source to destination are not required to support IPsec unless firewall-type packet filtering or network address translation (NAT) is performed between the two computers.
You can use the IP Security Policy snap-in to create, edit, and assign IPsec policies on this computer and remote computers.
Note
This documentation is intended to provide enough information to understand and use the IP Security Policy snap-in. Information about designing and deploying policies is beyond the scope of this documentation.
About IPsec policies
IPsec policies are used to configure IPsec security services. The policies provide varying levels of protection for most traffic types in most existing networks. You can configure IPsec policies to meet the security requirements of a computer, organizational unit (OU), domain, site, or global enterprise. You can use the IP Security Policies snap-in provided in Windows Vista® and Windows Server® 2008 to define IPsec policies for computers through Group Policy objects (for domain members) or on the local computer or for remote computers.
Important
The IP Security Policy snap-in can be used to create IPsec policies that can be applied to computers running Windows Vista and Windows Server 2008, but this snap-in does not use new security algorithms and other new features available in Windows Vista and Windows Server 2008. To create IPsec polices for these computers, use the Windows Firewall with Advanced Security snap-in. The Windows Firewall with Advanced Security snap-in does not create policies that can be applied to earlier versions of Windows.
An IPsec policy consists of general IPsec policy settings and rules. General IPsec policy settings apply, regardless of which rules are configured. These settings determine the name of the policy, its description for administrative purposes, key exchange settings, and key exchange methods. One or more IPsec rules determine the types of traffic IPsec must examine, how traffic is treated, how to authenticate an IPsec peer, and other settings.
After the policies are created, they can be applied at the domain, site, OU, and local level. Only one policy can be active on a computer at one time. Policies distributed and applied using Group Policy objects override local policies.
IPsec Policy snap-in tasks
This section includes some of the most common tasks that you might perform using the IP Security Policies snap-in.
Creating a policy
Unless you are creating policies on only one computer and its IPsec peer, you will probably have to create a set of IPsec policies to fit your IT environment. The process of designing, creating, and deploying policies can be complex, depending on the size of your domain, the homogeneity of the computers in the domain, and other factors.
Typically, the process is as follows:
Create IP filter lists that match the computers, subnets, and conditions in your environment.
Create filter actions that correspond to how you want connections to be authenticated, data integrity to be applied, and data to be encrypted. The filter action can also be either Block or Permit, regardless of other criteria. The Block action takes priority over other actions.
Create a set of policies that match the filtering and filter action (security) requirements you need.
First, deploy policies that use Permit and Block filter actions and then monitor your IPsec environment for issues that might require the adjustment of these policies.
Deploy the policies using the Negotiate Security filter action with the option to fall back to clear text communications. This allows you to test the operation of IPsec in your environment without disrupting communications.
As soon as you have made any required refinements to the policies, remove the fall back to clear text communications action, where appropriate. This will cause the policies to require authentication and security before a connection can be created.
Monitor the environment for communications that are not taking place, which might be indicated by a sudden increase in the Main Mode Negotiation Failures statistic.
To create a new IPsec policy
Right-click the IP Security Policies node, and then click Create IP Security Policy.
In the IP Security Policy Wizard, click Next.
Type a name and a description (optional) of the policy, and then click Next.
Either select the Activate the default response rule check box or leave it unselected, and then click Next.
Note
The default response rule can be used only for policies that are applied to Windows XP and Windows Server 2003 and earlier. Windows Vista and Windows Server 2008 cannot use the default response rule.
If you are using the default response rule, select an authentication method, and then click Next.
For more information about the default response rule, see IPsec Rules.
Leave the Edit properties check box selected, and then click Next. You can add rules to the policy as needed.
Add or change a rule to a policy
To add a policy rule
Right-click the IPsec policy, and then click Properties.
If you want to create the rule in the property dialog box, clear the Use Add Wizard check box. To use the wizard, leave the check box selected. Click Add.
The following instructions are for creating a rule using the dialog box.
In the New Rule Properties dialog box, on the IP Filter List tab, select the appropriate filter list, or click Add to add a new filter list. If you have already created filter lists, they will appear in the IP Filter Lists list.
For more information about creating and using filter lists, see Filter Lists.
Note
Only one filter list can be used per rule.
On the Filter Action tab, select the appropriate filter action, or click Add to add a new filter action.
For more information about creating and using filter actions, see Filter Actions.
Note
Only one filter action can be used per rule.
On the Authentication Methods tab, select the appropriate method, or click Add to add a new method.
For more information about creating and using authentication methods, see IPsec Authentication.
Note
You can use several methods per rule. The methods are attempted in the order in which they appear in the list. If you specify that certificates are used, put them together in the list in the order you want them to be used.
On the Connection Type tab, select the connection type to which the rule applies.
For more information about connection types, see IPsec Connection Type
If you are using a tunnel, specify the endpoints on the Tunnel Settings tab. By default, no tunnel is used.
For more information about using tunnels, see IPsec Tunnel Settings. Tunnel rules cannot be mirrored.
When all the settings are complete, click OK.
To change a policy rule
Right-click the IPsec policy, and then click Properties.
In the Policy Properties dialog box, select the rule, and then click Edit.
In the Edit Rule Properties dialog box, on the IP Filter List tab, select the appropriate filter list, or click Add to add a new filter list.
For more information about creating and using filter lists, see Filter Lists.
Note
Only one filter list can be used per rule.
On the Filter Action tab, select the appropriate filter action, or click Add to add a new filter list.
For more information about creating and using filter actions, see Filter Actions.
Note
Only one filter action can be used per rule.
On the Authentication Methods tab, select the appropriate method or click Add to add a new method.
For more information about creating and using authentication methods, see IPsec Authentication.
Note
You can use several methods per rule. The methods are attempted in the order in which they appear in the list.
On the Connection Type tab, select the connection type to which the rule applies.
For more information about connection types, see IPsec Connection Type.
If you are using a tunnel, specify the endpoints on the Tunnel Settings tab. By default, no tunnel is used.
For more information about using tunnels, see IPsec Tunnel Settings.
When all the settings are complete, click OK.
Assigning a policy
To assign a policy to this computer
- Right-click the policy, and then click Assign.
Note
Only one policy can be assigned to a computer at a time. Assigning another policy will automatically unassign the currently assigned policy. Group Policy on your domain might assign another policy to this computer and ignore the local policy.
For a computer-to-computer IPsec policy to be successful, you must create a mirrored policy on the other computer and assign that policy to that computer.
To assign this policy to many computers, use Group Policy.
See Also
Concepts
IPsec Authentication
IPsec Connection Type
IPsec Tunnel Settings
Filter Actions
Filter Lists
IPsec Rules