Configure key exchange settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To configure key exchange settings

  1. Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.

  2. Double-click the policy that you want to modify.

  3. Click the General tab, and then click Settings.

  4. To force reauthentication and the negotiation of new master key keying material each time a new session key is required, click Master key perfect forward secrecy (PFS).

  5. If you require a different setting, type a value in Authenticate and generate a new key after every number minutes, which will cause a reauthentication and new master key generation at that interval.

  6. If you require a different setting, type a value in Authenticate and generate a new key after every number sessions to set a maximum limit on the number of times a master key or its base keying material can be reused to generate the session key. This limit, when reached, will force a reauthentication and new master key generation. If you have enabled Master key perfect forward secrecy (PFS), the number of sessions is set to 1 and is not configurable.

  7. If you have special requirements for security methods on the master key exchange, click Methods.

Notes

  • To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.

  • To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.

  • Portions of IPSec-related services were jointly developed by Microsoft and Cisco Systems, Inc.

  • Use Master key perfect forward secrecy (PFS) where it is required for interoperability. The default setting is disabled, which should work in most environments and be interoperable with most other products.

  • A session limit of zero (0) will cause rekeys to be determined only by the time setting.

  • Enabling master key perfect forward secrecy (PFS) might impact performance because each quick mode requires a new main mode negotiation.

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Start the IP Security Policy Management snap-in
Open MMC
Create key exchange security methods
Key exchange settings
Working with MMC console files