Configuring IPsec settings
In contrast to firewall settings, which are configured for each
firewall profile separately, IPsec settings are systemwide settings
that define defaults for IPsec communications between the local
computer and other computers on the network. These systemwide IPsec
settings can be configured using either the Windows Firewall with
Advanced Security snap-in, using the Windows Firewall with Advanced
Security policy node under Computer Configuration\Policies\Windows
Settings\Security Settings in a GPO or Windows PowerShell.
To configure IPsec settings using the Windows Firewall with
Advanced Security snap-in on the local computer, right-click on the
root node in the console tree, select Properties, and switch to the
IPsec Settings tab as shown in Figure 1. These are the
settings you can configure here:
-
IPsec Defaults Use this
option to configure the default IPsec settings that the local
computer will use when attempting to establish secure connections
with other IPsec-enabled computers. To configure these settings,
click the Customize button to open the Customize IPsec Defaults
dialog box shown in Figure 2 in the next
section.
-
IPsec Exemptions Use this
option to configure how IPsec handles Internet Control Message
Protocol (ICMP) traffic. By default, ICMP traffic is not exempted
from using IPsec, but you can change this by selecting Yes from
the list control.
-
IPsec Tunnel Authorization
Use this option to configure the users and computers that you want
to be authorized to establish IPsec communications with the local
computer.To configure these settings, select Advanced and click
the Customize button to open the Customize IPsec Tunnel
Authorizations dialog box shown in Figure 11-19 later in this
lesson.
Customizing IPsec defaults
As described in the previous section, the Customize IPsec
Defaults dialog box shown in Figure 2 is used to
configure the default IPsec settings that the local computer will
use when attempting to establish secure connections with other
IPsec-enabled computers. The types of default settings you can
configure include settings for
Figure 3
shows the default IPsec settings for key exchange. The process for
applying them is as follows:
-
Start by attempting to use the Diffie-Hellman Group 2
key-exchange algorithm to negotiate using SHA-1 for data
integrity and AES-CBC 128 for data encryption.
-
If that fails, attempt to use DH Group 2 to negotiate
using SHA-1 for data integrity and 3DES for data
encryption.
You can add other security methods to the list of methods the
computer should attempt to use. You can also configure key lifetimes
and other key-exchange options using this dialog box.
Figure 4
shows the default IPsec settings for data protection. The process
for applying them is as follows:
-
If only data integrity but not data encryption is
required, then do the following:
-
Start by attempting to use ESP to negotiate using
SHA-1 for data integrity.
-
If that fails, attempt to use AH to negotiate using
SHA-1 for data integrity.
-
If both data integrity and encryption are required, then
do the following:
-
Start by attempting to use ESP to negotiate using
SHA-1 for data integrity and AES-CBC 218 for data
encryption.
-
If that fails, attempt to use AH to negotiate using
SHA-1 for data integrity and 3DES for data
encryption.
You can use this dialog box to add other data-integrity and
encryption algorithms to the list of algorithms the computer should
attempt to use. You can also use it to require encryption for all
IPsec communications on the computer.
As Figure 5
shows, the default authentication methods that IPsec uses for first
and second authentication are as follows:
-
For first authentication, the only authentication method
attempted is Computer (Kerberos V5). If desired, you can add
other authentication methods and prioritize how they are
used.
-
For second authentication, no authentication is attempted.
If desired, you can add authentication methods and prioritize
how they are used.
You can also use this dialog box to specify whether first or
second authentication should be considered optional.