Customizing IPsec tunnel authorizations
If IPsec tunnel connections will be allowed with the computer,
you can use the Customize IPsec Tunnel Authorizations dialog box
shown in Figure 6
to configure this. Using this dialog box, you can specify
You can also specify exceptions for each of the preceding
settings.
Configuring IPsec settings using Windows PowerShell
You can also use Windows PowerShell to configure IPsec
settings either in the policy store on the local computer, a remote
computer, or a GPO. You can do this using the cmdlets from the
NetSecurity module of Windows PowerShell.
For example, you can use the Get-NetIPsecMainModeCryptoSet
cmdlet to display the main-mode cryptographic sets on a
computer:
PS C:\> Get-NetIPsecMainModeCryptoSet -PolicyStore ActiveStore
Name : {E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}
DisplayName : Service Hardcoded Default Phase1 CryptoSet
Description : Service Hardcoded Default Phase1 CryptoSet
DisplayGroup :
Group :
Proposal : {
0 : Encryption: AES128
: Hash: SHA1
: KeyExchange: DH2
1 : Encryption: DES3
: Hash: SHA1
: KeyExchange: DH2
}
MaxMinutes : 480
MaxSessions : 0
ForceDiffieHellman : False
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus :
PolicyStoreSource : No Policy Store (Hardcoded)
PolicyStoreSourceType : Hardcoded
Compare the preceding command output to Figure 1 earlier in
this lesson. To configure the main mode cryptographic sets on the
computer, you can use the Set-NetIPsecMainModeCryptoSet
cmdlet.
As a second example, you can use the Get-NetIPsecPhase1AuthSet
cmdlet to display how first authentication is configured on the
computer:
PS C:\> Get-NetIPsecPhase1AuthSet -PolicyStore ActiveStore
Name : {E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}
DisplayName : Service Hardcoded Default Phase1 AuthSet
Description : Service Hardcoded Default Phase1 AuthSet
DisplayGroup :
Group :
Proposal : {
0 : MachineKerb
}
PrimaryStatus : OK
Status : The rule was parsed successfully from the store. (65536)
EnforcementStatus :
PolicyStoreSource : No Policy Store (Hardcoded)
PolicyStoreSourceType : Hardcoded
Compare the preceding command output to Figure 3 earlier in this
lesson. To configure first authentication on the computer, you can
use the Set-NetIPsecPhase1AuthSet cmdlet.
Quick check
Quick check answer
-
This is probably because the operating system on the
remote computer does not support data encryption using the
AES-CBC 128 algorithm. By default, Windows Server 2012 starts
by attempting to use the Diffie-Hellman Group 2 key-exchange
algorithm to negotiate using SHA-1 for data integrity and
AES-CBC 128 for data encryption. If that fails, attempt to use
DH Group 2 to negotiate using SHA-1 for data integrity and
3DES for data encryption.