Negotiation Discovery Transport Mode

  • Article

The Negotiation Discovery Transport Mode IPsec policy scenario requires IPsec transport mode protection for all matching inbound traffic, and requests IPsec protection for matching outbound traffic. Therefore, outbound connections are allowed to fallback to clear-text while inbound connections are not.

With this policy, when the host machine attempts a new outbound connection and there is no existing IPsec SA matching the traffic, the host simultaneously sends the packets in clear-text and starts an IKE or AuthIP negotiation. If the negotiation succeeds, the connection is upgraded to IPsec-protected. Otherwise, the connection stays in clear-text. Once IPsec-protected, a connection can never be downgraded to clear-text.

Negotiation Discovery Transport Mode is typically used in environments that include both IPsec capable and non-IPsec capable machines.

An example of a possible Negotiation Discovery Transport Mode scenario is "Secure all unicast data traffic, except ICMP, using IPsec transport mode, and enable negotiation discovery."

To implement this example programmatically, use the following WFP configuration.

At FWPM_LAYER_IKEEXT_V{4|6} set up MM negotiation policy

  1. Add one or both of the following MM policy provider contexts.

    • For IKE, a policy provider context of type FWPM_IPSEC_IKE_MM_CONTEXT.
    • For AuthIP, a policy provider context of type FWPM_IPSEC_AUTHIP_MM_CONTEXT.

    Note

    A common keying module will be negotiated and the corresponding MM policy will be applied. AuthIP is the preferred keying module if both IKE and AuthIP are supported.

  2. For each of the contexts added in step 1, add a filter with the following properties.

    Filter property Value
    Filtering conditions Empty. All traffic will match the filter.
    providerContextKey GUID of the MM provider context added in step 1.

At FWPM_LAYER_IPSEC_V{4|6} set up QM and EM negotiation policy

  1. Add one or both of the following QM transport mode policy provider contexts and set the IPSEC_POLICY_FLAG_ND_SECURE flag.

    • For IKE, a policy provider context of type FWPM_IPSEC_IKE_QM_TRANSPORT_CONTEXT.
    • For AuthIP, a policy provider context of type FWPM_IPSEC_AUTHIP_QM_TRANSPORT_CONTEXT. This context can optionally contain the AuthIP Extended Mode (EM) negotiation policy.

    Note

    A common keying module will be negotiated and the corresponding QM policy will be applied. AuthIP is the preferred keying module if both IKE and AuthIP are supported.

  2. For each of the contexts added in step 1, add a filter with the following properties.

    Filter property Value
    Filtering conditions Empty. All traffic will match the filter.
    providerContextKey GUID of the QM provider context added in step 1.

At FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} set up inbound per-packet filtering rules

  1. Add a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    action.type FWP_ACTION_CALLOUT_TERMINATING
    action.calloutKey FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V{4|6}
    rawContext FWPM_CONTEXT_IPSEC_INBOUND_PERSIST_CONNECTION_SECURITY

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h.
    action.type FWP_ACTION_PERMIT
    weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

At FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} set up outbound per-packet filtering rules

  1. Add a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    action.type FWP_ACTION_CALLOUT_TERMINATING
    action.calloutKey FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V{4|6}
    rawContext FWPM_CONTEXT_IPSEC_OUTBOUND_NEGOTIATE_DISCOVER

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h.
    action.type FWP_ACTION_PERMIT
    weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

At FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} set up inbound per-connection filtering rules

  1. Add a filter with the following properties. This filter will only allow inbound connection attempts if they are secured by IPsec.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    action.type FWP_ACTION_CALLOUT_TERMINATING
    action.calloutKey FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V{4|6}

  2. Exempt ICMP traffic from IPsec by adding a filter with the following properties.

    Filter property Value
    FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast
    FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h.
    action.type FWP_ACTION_PERMIT
    weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS

Sample code: Using Transport Mode

ALE Layers

Built-in Callout Identifiers

Filtering Conditions

Filtering Layer Identifiers

FWPM_ACTION0

FWPM_PROVIDER_CONTEXT_TYPE