7/25/2019 Creating and Using IPsec Policies

1/5

3/15/2014 Creating and Using IPsec Policies

http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx 1/5

Creating and Using IPsec Policies

Applies To: Windows 7, Windows Server 2008 R2

IPsec is a framework of open standards for ensuring private, secure communications over IP networks

through the use of cryptographic security services. The Microsoft Windows implementation of IPsec isbased on standards developed by the Internet Engineering Task Force (IETF) IPsec working group.

IPsec establishes trust and security from a source IP address to a destination IP address. The only

computers that must know about the traffic being secured are the sending and receiving computers. Each

computer handles security at its respective end with the assumption that the medium over which the

communication takes place is not secure. Computers that only route data from source to destination are

not required to support IPsec unless firewall-type packet filtering or network address translation (NAT) is

performed between the two computers.

You can use the IP Security Policy snap-in to create, edit, and assign IPsec policies on this computer and

remote computers.

Note

This documentation is intended to provide enough information to understand and use the IP Security

Policy snap-in. Information about designing and deploying policies is beyond the scope of this

documentation.

About IPsec policiesIPsec policies are used to configure IPsec security services. The policies provide varying levels of protectionfor most traffic types in most existing networks. You can configure IPsec policies to meet the security

requirements of a computer, organizational unit (OU), domain, site, or global enterprise. You can use the IP

Security Policies snap-in provided in this version of Windows to define IPsec policies for computers through

Group Policy objects (for domain members) or on the local computer or for remote computers.

Important

The IP Security Policy snap-in can be used to create IPsec policies that can be applied to computers

running Windows Vista and later versions of Windows, but this snap-in does not use new securityalgorithms and other new features available in Windows Vista and later versions of Windows. To create

IPsec polices for these computers, use the Windows Firewall with Advanced Security snap-in. The

Windows Firewall with Advanced Security snap-in does not create policies that can be applied to earlier

versions of Windows.

An IPsec policy consists of general IPsec policy settings and rules. General IPsec policy settings apply,

regardless of which rules are configured. These settings determine the name of the policy, its description

for administrative purposes, key exchange settings, and key exchange methods. One or more IPsec rules

determine the types of traffic IPsec must examine, how traffic is treated, how to authenticate an IPsec peer,

and other settings.

After the policies are created, they can be applied at the domain, site, OU, and local level. Only one policy

can be active on a computer at one time. Policies distributed and applied using Group Policy objects

override local policies.

7/25/2019 Creating and Using IPsec Policies

2/5

3/15/2014 Creating and Using IPsec Policies

http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx 2/5

IPsec Policy snap-in tasksThis section includes some of the most common tasks that you might perform using the IP Security Policies

snap-in.

Creating a policy

Unless you are creating policies on only one computer and its IPsec peer, you will probably have to create

a set of IPsec policies to fit your IT environment. The process of designing, creating, and deploying policies

can be complex, depending on the size of your domain, the homogeneity of the computers in the domain,

and other factors.

Typically, the process is as follows:

1. Create IP filter lists that match the computers, subnets, and conditions in your environment.

2. Create filter actions that correspond to how you want connections to be authenticated, data integrity

to be applied, and data to be encrypted. The filter action can also be either Blockor Permit,

regardless of other criteria. The Block action takes priority over other actions.

3. Create a set of policies that match the filtering and filter action (security) requirements you need.

4. First, deploy policies that use Permitand Blockfilter actions and then monitor your IPsec

environment for issues that might require the adjustment of these policies.

5. Deploy the policies using the Negotiate Securityfilter action with the option to fall back to clear text

communications. This allows you to test the operation of IPsec in your environment without

disrupting communications.

6. As soon as you have made any required refinements to the policies, remove the fall back to clear

text communications action, where appropriate. This will cause the policies to require authentication

and security before a connection can be created.

7. Monitor the environment for communications that are not taking place, which might be indicated by

a sudden increase in the Main Mode Negotiation Failures statistic.

To create a new IPsec policy

1. Right-click the IP Security Policies node, and then click Create IP Security Policy.

2. In the IP Security Policy Wizard, click Next.

3. Type a name and a description (optional) of the policy, and then click Next.

4. Either select the Activate the default response rulecheck box or leave it unselected, and then click

Next.

Note

The default response rule can be used only for policies that are applied to Windows XP andWindows Server 2003 and earlier. Later versions of Windows cannot use the default response

rule.

5. If you are using the default response rule, select an authentication method, and then click Next.

7/25/2019 Creating and Using IPsec Policies

3/5

3/15/2014 Creating and Using IPsec Policies

http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx 3/5

For more information about the default response rule, see IPsec Rules.

6. Leave the Edit propertiescheck box selected, and then click Next. You can add rules to the policy as

needed.

Add or change a rule to a policy

To add a policy rule

1. Right-click the IPsec policy, and then click Properties.

2. If you want to create the rule in the property dialog box, clear the Use Add Wizard check box. To

use the wizard, leave the check box selected. Click Add. The following instructions are for creating a

rule using the dialog box.

3. In the New Rule Propertiesdialog box, on the IP Filter Listtab, select the appropriate filter list, or

click Addto add a new filter list. If you have already created filter lists, they will appear in the IP Filter

Lists list. For more information about creating and using filter lists, see Filter Lists.

Note

Only one filter list can be used per rule.

4. On the Filter Actiontab, select the appropriate filter action, or click Addto add a new filter action.

For more information about creating and using filter actions, see Filter Actions.

Note

Only one filter action can be used per rule.

5. On the Authentication Methodstab, select the appropriate method, or click Addto add a new

method. For more information about creating and using authentication methods, see IPsec

Authentication.

Note

You can use several methods per rule. The methods are attempted in the order in which they

appear in the list. If you specify that certificates are used, put them together in the list in the order

you want them to be used.

6. On the Connection Typetab, select the connection type to which the rule applies. For more

information about connection types, see IPsec Connection Type

7. If you are using a tunnel, specify the endpoints on the Tunnel Settingstab. By default, no tunnel is

used. For more information about using tunnels, see IPsec Tunnel Settings. Tunnel rules cannot be

mirrored.

8. When all the settings are complete, click OK.

To change a policy rule

http://technet.microsoft.com/en-us/library/cc753504.aspxhttp://technet.microsoft.com/en-us/library/cc732751.aspxhttp://technet.microsoft.com/en-us/library/cc772338.aspxhttp://technet.microsoft.com/en-us/library/cc754655.aspxhttp://technet.microsoft.com/en-us/library/cc732038.aspxhttp://technet.microsoft.com/en-us/library/cc754908.aspx

7/25/2019 Creating and Using IPsec Policies

4/5

3/15/2014 Creating and Using IPsec Policies

http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx 4/5

1. Right-click the IPsec policy, and then click Properties.

2. In the Policy Propertiesdialog box, select the rule, and then click Edit.

3. In the Edit Rule Propertiesdialog box, on the IP Filter Listtab, select the appropriate filter list, or

click Addto add a new filter list. For more information about creating and using filter lists, see Filter

Lists.

Note

Only one filter list can be used per rule.

4. On the Filter Actiontab, select the appropriate filter action, or click Addto add a new filter list. For

more information about creating and using filter actions, see Filter Actions.

Note

Only one filter action can be used per rule.

5. On the Authentication Methodstab, select the appropriate method or click Addto add a new

method. For more information about creating and using authentication methods, see IPsec

Authentication.

Note

You can use several methods per rule. The methods are attempted in the order in which they

appear in the list.

6. On the Connection Typetab, select the connection type to which the rule applies. For more

information about connection types, see IPsec Connection Type.

7. If you are using a tunnel, specify the endpoints on the Tunnel Settingstab. By default, no tunnel is

used. For more information about using tunnels, see IPsec Tunnel Settings.

8. When all the settings are complete, click OK.

Assigning a policy

To assign a policy to this computer

Right-click the policy, and then click Assign.

Note

Only one policy can be assigned to a computer at a time. Assigning another policy will

automatically unassign the currently assigned policy. Group Policy on your domain might assign

another policy to this computer and ignore the local policy.For a computer-to-computer IPsec policy to be successful, you must create a mirrored policy on

the other computer and assign that policy to that computer.

To assign this policy to many computers, use Group Policy.

http://technet.microsoft.com/en-us/library/cc753504.aspxhttp://technet.microsoft.com/en-us/library/cc732751.aspxhttp://technet.microsoft.com/en-us/library/cc772338.aspxhttp://technet.microsoft.com/en-us/library/cc754655.aspxhttp://technet.microsoft.com/en-us/library/cc732038.aspx

7/25/2019 Creating and Using IPsec Policies

5/5

3/15/2014 Creating and Using IPsec Policies

http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx 5/5

Did you find this helpful?

Community Additions

See Also

ConceptsIPsec Authentication

IPsec Connection Type

IPsec Tunnel Settings

Filter Actions

Filter Lists

IPsec Rules

2014 Microsoft. All rights reserved.

Yes No

http://technet.microsoft.com/en-us/library/cc754908.aspxhttp://technet.microsoft.com/en-us/library/cc732038.aspxhttp://technet.microsoft.com/en-us/library/cc754655.aspxhttp://technet.microsoft.com/en-us/library/cc753504.aspxhttp://technet.microsoft.com/en-us/library/cc732751.aspxhttp://technet.microsoft.com/en-us/library/cc772338.aspx