Windows Server 2012 : Configuring IPsec (part 3) - Configuring IPsec settings - Customizing IPsec tunnel authorizations, Configuring IPsec settings using Windows PowerShell

10/20/2014 9:20:53 PM

Customizing IPsec tunnel authorizations

If IPsec tunnel connections will be allowed with the computer, you can use the Customize IPsec Tunnel Authorizations dialog box shown in Figure 6 to configure this. Using this dialog box, you can specify

Which computers are authorized to establish tunnel connections with the local computer.
Which users are authorized to establish tunnel connections with the local computer.

You can also specify exceptions for each of the preceding settings.

Figure 6. Configuring IPsec tunnel authorizations.

Configuring IPsec settings using Windows PowerShell

You can also use Windows PowerShell to configure IPsec settings either in the policy store on the local computer, a remote computer, or a GPO. You can do this using the cmdlets from the NetSecurity module of Windows PowerShell.

For example, you can use the Get-NetIPsecMainModeCryptoSet cmdlet to display the main-mode cryptographic sets on a computer:

PS C:\> Get-NetIPsecMainModeCryptoSet -PolicyStore ActiveStore

Name                  : {E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE1}
DisplayName           : Service Hardcoded Default Phase1 CryptoSet
Description           : Service Hardcoded Default Phase1 CryptoSet
DisplayGroup          :
Group                 :
Proposal              : {
                        0 : Encryption: AES128
                          : Hash: SHA1
                          : KeyExchange: DH2
                        1 : Encryption: DES3
                          : Hash: SHA1
                          : KeyExchange: DH2
                        }
MaxMinutes            : 480
MaxSessions           : 0
ForceDiffieHellman    : False
PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     :
PolicyStoreSource     : No Policy Store (Hardcoded)
PolicyStoreSourceType : Hardcoded

Compare the preceding command output to Figure 1 earlier in this lesson. To configure the main mode cryptographic sets on the computer, you can use the Set-NetIPsecMainModeCryptoSet cmdlet.

As a second example, you can use the Get-NetIPsecPhase1AuthSet cmdlet to display how first authentication is configured on the computer:

PS C:\> Get-NetIPsecPhase1AuthSet -PolicyStore ActiveStore

Name                  : {E5A5D32A-4BCE-4e4d-B07F-4AB1BA7E5FE3}
DisplayName           : Service Hardcoded Default Phase1 AuthSet
Description           : Service Hardcoded Default Phase1 AuthSet
DisplayGroup          :
Group                 :
Proposal              : {
                        0 : MachineKerb
                        }

PrimaryStatus         : OK
Status                : The rule was parsed successfully from the store. (65536)
EnforcementStatus     :
PolicyStoreSource     : No Policy Store (Hardcoded)
PolicyStoreSourceType : Hardcoded

Compare the preceding command output to Figure 3 earlier in this lesson. To configure first authentication on the computer, you can use the Set-NetIPsecPhase1AuthSet cmdlet.

Quick check

A local computer running Windows Server 2012 is using the 3DES algorithm for data encryption when using IPsec to communicate with a remote computer running an unknown operating system. Why is the local computer not using the more secure AES-CBC 128 algorithm instead?

Quick check answer

This is probably because the operating system on the remote computer does not support data encryption using the AES-CBC 128 algorithm. By default, Windows Server 2012 starts by attempting to use the Diffie-Hellman Group 2 key-exchange algorithm to negotiate using SHA-1 for data integrity and AES-CBC 128 for data encryption. If that fails, attempt to use DH Group 2 to negotiate using SHA-1 for data integrity and 3DES for data encryption.

Related -----------------

- Windows Server 2012 : Configuring IPsec (part 7) - Configuring connection security rules - Monitoring IPsec

- Windows Server 2012 : Configuring IPsec (part 6) - Configuring connection security rules - Creating a custom rule, Configuring authenticated bypass

- Windows Server 2012 : Configuring IPsec (part 5) - Configuring connection security rules - Creating an authentication exemption rule, Creating a server-to-server rule, Creating a tunnel rule

- Windows Server 2012 : Configuring IPsec (part 4) - Configuring connection security rules - Types of connection security rules, Creating an isolation rule

- Windows Server 2012 : Configuring IPsec (part 2) - Configuring IPsec settings - Customizing IPsec defaults

- Windows Server 2012 : Configuring IPsec (part 1) - Understanding connection security

Other -----------------

- Microsoft Lync Server 2013 : Director Troubleshooting (part 3) - Synthetic Transactions,Telnet

- Microsoft Lync Server 2013 : Director Troubleshooting (part 2) - DNS Records, Logs

- Microsoft Lync Server 2013 : Director Troubleshooting (part 1) - Redirects, Certificates

- Microsoft Lync Server 2013 : Administration of the Director Role (part 4) - Services Management, Client Version Filter

- Microsoft Lync Server 2013 : Administration of the Director Role (part 3) - Topology Status

- Microsoft Lync Server 2013 : Administration of the Director Role (part 2) - Ports,Firewall Rules

- Microsoft Lync Server 2013 : Administration of the Director Role (part 1) - Services

- Microsoft Lync Server 2013 : Configuring the Director (part 2) - Web Services Ports,Reverse Proxy

- Microsoft Lync Server 2013 : Configuring the Director (part 1) - SRV Records, Web Services FQDN Overrides

- Sharepoint 2013 : SharePoint Designer 2013 (part 2) - Locking Down SharePoint Designer