Remote Identity Authorization
The Remote Identity Authorization IPsec policy scenario requires that inbound connections come from a specific set of remote security principals which are specified in a Windows security descriptor (SD) access control list (ACL). If the remote identity (as determined by IPsec) does not match the set of allowed identities, the connection will be dropped. This policy must be specified in conjunction with one of the transport mode policy options.
If AuthIP is enabled, two security descriptors can be specified, one corresponding to AuthIP main mode, and the other corresponding to AuthIP extended mode.
An example of a possible Negotiation Discovery Transport Mode scenario is "Secure all unicast data traffic, except ICMP, using IPsec transport mode, enable negotiation discovery, and restrict inbound access to remote identities allowed as per security descriptor SD1 (corresponding to IKE/AuthIP main mode) and security descriptor SD2 (corresponding to AuthIP extended mode), for all unicast traffic corresponding to TCP local port 5555."
To implement this example programmatically, use the following WFP configuration.
Add one or both of the following MM policy provider contexts.
- For IKE, a policy provider context of type FWPM_IPSEC_IKE_MM_CONTEXT.
- For AuthIP, a policy provider context of type FWPM_IPSEC_AUTHIP_MM_CONTEXT.
Note
A common keying module will be negotiated and the corresponding MM policy will be applied. AuthIP is the preferred keying module if both IKE and AuthIP are supported.
For each of the contexts added in step 1, add a filter with the following properties.
Filter property Value Filtering conditions Empty. All traffic will match the filter. providerContextKey GUID of the MM provider context added in step 1. Add one or both of the following QM transport mode policy provider contexts and set the IPSEC_POLICY_FLAG_ND_SECURE flag.
- For IKE, a policy provider context of type FWPM_IPSEC_IKE_QM_TRANSPORT_CONTEXT.
- For AuthIP, a policy provider context of type FWPM_IPSEC_AUTHIP_QM_TRANSPORT_CONTEXT that contains the AuthIP Extended Mode (EM) negotiation policy.
Note
A common keying module will be negotiated and the corresponding QM policy will be applied. AuthIP is the preferred keying module if both IKE and AuthIP are supported.
For each of the contexts added in step 1, add a filter with the following properties.
Filter property Value Filtering conditions Empty. All traffic will match the filter. providerContextKey GUID of the QM provider context added in step 1. Add a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast action.type FWP_ACTION_CALLOUT_TERMINATING action.calloutKey FWPM_CALLOUT_IPSEC_INBOUND_TRANSPORT_V{4|6} rawContext FWPM_CONTEXT_IPSEC_INBOUND_PERSIST_CONNECTION_SECURITY Exempt ICMP traffic from IPsec by adding a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h. action.type FWP_ACTION_PERMIT weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS Add a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast action.type FWP_ACTION_CALLOUT_TERMINATING action.calloutKey FWPM_CALLOUT_IPSEC_OUTBOUND_TRANSPORT_V{4|6} rawContext FWPM_CONTEXT_IPSEC_OUTBOUND_NEGOTIATE_DISCOVER Exempt ICMP traffic from IPsec by adding a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_PROTOCOL filtering condition IPPROTO_ICMP{V6}These constants are defined in winsock2.h. action.type FWP_ACTION_PERMIT weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS Add a filter with the following properties. This filter will only allow inbound connection attempts if they are secured by IPsec.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast action.type FWP_ACTION_CALLOUT_TERMINATING action.calloutKey FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V{4|6} Exempt ICMP traffic from IPsec by adding a filter with the following properties.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_PROTOCOL filtering condition **IPPROTO_ICMP{V6}**These constants are defined in winsock2.h. action.type FWP_ACTION_PERMIT weight FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS Add a filter with the following properties. This filter will permit inbound connections to TCP port 5555 if the corresponding remote identities are allowed by both SD1 and SD2.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_PROTOCOL filtering condition IPPROTO_TCPThis constant is defined in winsock2.h. FWPM_CONDITION_IP_LOCAL_PORT filtering condition 5555 FWPM_CONDITION_ALE_REMOTE_MACHINE_ID SD1 FWPM_CONDITION_ALE_REMOTE_USER_ID SD2 action.type FWP_ACTION_CALLOUT_TERMINATING action.calloutKey FWPM_CALLOUT_IPSEC_INBOUND_INITIATE_SECURE_V{4|6} Add a filter with the following properties. This filter will block any other inbound connections to TCP port 5555 that did not match the previous filter.
Filter property Value FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE filtering condition NlatUnicast FWPM_CONDITION_IP_PROTOCOL filtering condition IPPROTO_TCPThis constant is defined in winsock2.h. FWPM_CONDITION_IP_LOCAL_PORT filtering condition 5555 action.type FWP_ACTION_BLOCK
At FWPM_LAYER_IKEEXT_V{4|6} setup MM negotiation policy
At FWPM_LAYER_IPSEC_V{4|6} setup QM and EM negotiation policy
At FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} setup inbound per-packet filtering rules
At FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} setup outbound per-packet filtering rules
At FWPM_LAYER_ALE_AUTH_RECV_ACCEPT_V{4|6} setup inbound per-connection filtering rules