Windows IP Security Configuration Overview
On Microsoft Windows systems, all IP Security (IPsec) configuration data resides in a single IP Security policy. You can create multiple IP Security policies, but only one local policy can be active on the system. If the system is a member of a Windows Active Directory domain, you can use an IP Security policy from a Group Policy defined for the domain.
A Windows IP Security policy defines the parameters used to negotiate Internet Key Exchange Security Associations (IKE SAs) and IPsec SAs. An IKE SA is a
After two peers establish an IKE SA, they can negotiate IPsec SAs. Each IPsec SA is a
Each Windows IP Security policy contains the following components:
•Rules
A policy contains one or more rules. The main purpose of a rule is to assign actions for address filters. Each rule contains the following components:
—IP Filter List
An IP Filter list contains one or more filters. Each filter contains the following components:
◦Addressing
The source and destination IP addresses, network masks, and a flag that indicates if the filter is mirrored
◦Protocol
The
◦Description
The filter name and a description.
—Filter Action
The filter action specifies the action to take for the rule, and can be one of the following actions:
◦allow: allow the packet to pass
◦block: discard the packet
◦negotiate security: negotiate IPsec Authentication Header (AH) or Encapsulating Security Payload (ESP) Security Associations (SAs)
—Authentication Methods
The authentication methods specify the type of Internet Key Exchange (IKE) authentication to use (preshared key or certificates with RSA signatures). If you are using preshared key authentication, the authentication methods also specify the value of the preshared key.
Windows IP Security Configuration Overview 13