IPsec Rules

Applies To: Windows Server 2008

About IPsec rules

An Internet Protocol security (IPsec) policy consists of one or more rules that determine IPsec behavior. IPsec rules are configured on the Rules tab in the properties of an IPsec policy. Each IPsec rule contains the following configuration items:

Filter list

A single filter list that contains one or more predefined packet filters that describe the types of traffic to which the configured filter action for this rule is applied. The filter list is configured on the IP Filter List tab in the properties of an IPsec rule within an IPsec policy. For more information about filter lists, see Filter Lists.

Filter action

A single filter action that includes the type of action required (Permit, Block, or Negotiate Security) for packets that match the filter list. For the Negotiate Security filter action, the negotiation data contains one or more security methods that are used (in order of preference) during IKE negotiations and other IPsec settings. Each security method determines the security protocol (such as AH or ESP), the cryptographic algorithms, and session key regeneration settings used. The negotiation data is configured on the Filter Action tab in the properties of an IPsec rule within an IPsec policy. For more information see, Filter Actions.

Authentication methods

One or more authentication methods are configured (in order of preference) and used for authentication of IPsec peers during Main Mode negotiations. The available authentication methods are the Kerberos version 5 authentication protocol, use of a certificate issued from a specified certification authority (CA), or a preshared key. The authentication data is configured on the Authentication Methods tab in the properties of an IPsec rule within an IPsec policy. For more information, see IPsec Authentication.

Tunnel endpoint

Specifies whether the traffic is tunneled and, if it is, the IP address of the tunnel endpoint. For outbound traffic, the tunnel endpoint is the IP address of the IPsec tunnel peer. For inbound traffic, the tunnel endpoint is a local IP address. The tunnel endpoint is configured on the Tunnel Setting tab in the properties of an IPsec rule within an IPsec policy. You must create two tunnel rules, one for each direction that traffic will travel. For more information, see IPsec Tunnel Settings.

Connection type

Specifies whether the rule applies to local area network (LAN) connections, remote connections, or both. The connection type is configured on the Connection Type tab in the properties of an IPsec rule within an IPsec policy. For more information, see IPsec Connection Type.

Default response rule

The default response rule is used to ensure that the computer responds to requests for secure communication. If an active policy does not have a rule defined that is requesting secure communication, then the default response rule is applied and security is negotiated, if the default response rule is enabled. For example, the default response rule is used when Computer A communicates securely with Computer B, and Computer B does not have an inbound filter defined for Computer A.

The default response rule, which can be used for all policies, cannot be deleted, but it can be deactivated. You have the option of enabling it when you create new IPsec policies with the IP Security Policy Wizard.

Note

The default response rule will be ignored in a policy that will be assigned to a computer running Windows Vista® or Windows Server® 2008.

Authentication methods and the security methods can be configured for the default response rule. The filter list of <Dynamic> indicates that the filter list is not configured, but that filters are created automatically based on the receipt of IKE negotiation packets. The filter action of Default Response indicates that the action of the filter (Permit, Block, or Negotiate Security) cannot be configured.