The filter matches packets with the following addresses:
Source address: 10.1.1.1
Destination address: 10.2.2.2
If the filter is mirrored, it also matches packets with the following addresses:
Source address: 10.2.2.2
Destination address: 10.1.1.1
The mirror setting only affects Windows IP Security behavior before IPsec SAs are established. If the Windows IP Security module receives a packet via an existing SA, it does not verify that the packet address fields match the address filter used when the SA was established.
By comparison,
Windows does not allow you to specify the search or priority order for the filters in a rule or for the order of rules in a policy. The Windows IP Security module automatically creates an internal filter list and orders the filters from most specific to least specific.
If you do not specify a priority value when creating a policy on
On
On Windows systems, you can configure a set of multiple IKE SA proposals, but only one set per IP Security policy, and only one IP Security policy can be in use (assigned) on the system.
IKE SA Key (Master Key) Lifetime ValuesIKE SA key lifetimes (referred to as Master key lifetimes on Windows systems) specify the maximum lifetimes for IKE SA keys and are specified by units of time (seconds). In addition, users can specify the maximum number of IPsec SA negotiations that can be completed per IKE SA (“Maximum Quick Modes” (page 43)).
The
If the
If the remote system initiates IKE SA negotiations and sends a proposed value that is longer than (less secure than) the
If the remote system initiates IKE SA negotiations and sends a proposed lifetime that is the same or more secure (shorter than) the
42