Manual SA

The Manual Security Association (SA) IPsec policy scenario allows callers to bypass the built-in IPsec keying modules (IKE and AuthIP) by directly specifying IPsec SAs to secure any network traffic.

An example of a possible Manual SA scenario is "Add an IPsec SA pair to secure all unicast data traffic between IP addresses 1.1.1.1 & 2.2.2.2, except ICMP, using IPsec transport mode."

Note

The following steps must be executed on both machines with IP addresses appropriately set.

To implement this example programmatically, use the following WFP configuration.

At FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} setup inbound per-packet filtering rules

  1. Add a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_LOCAL_ADDRESS The appropriate local address (1.1.1.1 or 2.2.2.2).
    FWPM_CONDITION_IP_REMOTE_ADDRESS The appropriate remote address (1.1.1.1 or 2.2.2.2).
    action.type FWP_ACTION_CALLOUT_TERMINATING
    action.calloutKey FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V{4|6}
  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h.
    action.type FWP_ACTION_PERMIT
    weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

At FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} setup outbound per-packet filtering rules

  1. Add a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_LOCAL_ADDRESS filtering condition The appropriate local address (1.1.1.1 or 2.2.2.2).
    FWPM_CONDITION_IP_REMOTE_ADDRESS filtering condition The appropriate remote address (1.1.1.1 or 2.2.2.2).
    action.type FWP_ACTION_CALLOUT_TERMINATING
    action.calloutKey FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V{4|6}
  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h.
    action.type FWP_ACTION_PERMIT
    weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

Setup inbound and outbound security associations

  1. Call IPsecSaContextCreate0, with the outboundTraffic parameter containing the IP addresses as 1.1.1.1 & 2.2.2.2, and ipsecFilterId as the LUID of the outbound transport layer IPsec callout filter added above.
  2. Call IPsecSaContextGetSpi0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the getSpi parameter containing the IP addresses as 1.1.1.1 & 2.2.2.2, and ipsecFilterId as the LUID of the inbound transport layer IPsec callout filter added above. The returned SPI value is meant to be used as the inbound SA SPI by the local machine and as the outbound SA SPI by the corresponding remote machine. Both machines must use some out-of-band means to exchange the SPI values.
  3. Call IPsecSaContextAddInbound0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the inboundBundle parameter describing the properties of the inbound SA bundle (such as the inbound SA SPI, transform type, algorithm types, keys, etc).
  4. Call IPsecSaContextAddOutbound0, with the id parameter containing the context ID returned from IPsecSaContextCreate0, and the outboundBundle parameter describing the properties of the outbound SA bundle (such as the outbound SA SPI, transform type, algorithm types, keys, etc).

Sample code: Manual SA Keying

Built-in Callout Identifiers

Filtering Layer Identifiers

FWPM_ACTION0