Académique Documents
Professionnel Documents
Culture Documents
Note
This documentation is intended to provide enough information to understand and use the IP Security
Policy snap-in. Information about designing and deploying policies is beyond the scope of this
documentation.
Important
The IP Security Policy snap-in can be used to create IPsec policies that can be applied to computers
running Windows Vista and later versions of Windows, but this snap-in does not use new security
algorithms and other new features available in Windows Vista and later versions of Windows. To create
IPsec polices for these computers, use the Windows Firewall with Advanced Security snap-in. The
Windows Firewall with Advanced Security snap-in does not create policies that can be applied to earlier
versions of Windows.
An IPsec policy consists of general IPsec policy settings and rules. General IPsec policy settings apply,
regardless of which rules are configured. These settings determine the name of the policy, its description
for administrative purposes, key exchange settings, and key exchange methods. One or more IPsec rules
determine the types of traffic IPsec must examine, how traffic is treated, how to authenticate an IPsec peer,
and other settings.
After the policies are created, they can be applied at the domain, site, OU, and local level. Only one policy
can be active on a computer at one time. Policies distributed and applied using Group Policy objects
override local policies.
http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx
1/5
3/15/2014
Creating a policy
Unless you are creating policies on only one computer and its IPsec peer, you will probably have to create
a set of IPsec policies to fit your IT environment. The process of designing, creating, and deploying policies
can be complex, depending on the size of your domain, the homogeneity of the computers in the domain,
and other factors.
Typically, the process is as follows:
1. Create IP filter lists that match the computers, subnets, and conditions in your environment.
2. Create filter actions that correspond to how you want connections to be authenticated, data integrity
to be applied, and data to be encrypted. The filter action can also be either Block or Permit,
regardless of other criteria. The Block action takes priority over other actions.
3. Create a set of policies that match the filtering and filter action (security) requirements you need.
4. First, deploy policies that use Permit and Block filter actions and then monitor your IPsec
environment for issues that might require the adjustment of these policies.
5. Deploy the policies using the Negotiate Security filter action with the option to fall back to clear text
communications. This allows you to test the operation of IPsec in your environment without
disrupting communications.
6. As soon as you have made any required refinements to the policies, remove the fall back to clear
text communications action, where appropriate. This will cause the policies to require authentication
and security before a connection can be created.
7. Monitor the environment for communications that are not taking place, which might be indicated by
a sudden increase in the Main Mode Negotiation Failures statistic.
To create a new IPsec policy
1. Right-click the IP Security Policies node, and then click Create IP Security Policy.
2. In the IP Security Policy Wizard, click Next.
3. Type a name and a description (optional) of the policy, and then click Next.
4. Either select the Activate the default response rule check box or leave it unselected, and then click
Next.
Note
The default response rule can be used only for policies that are applied to Windows XP and
Windows Server 2003 and earlier. Later versions of Windows cannot use the default response
rule.
5. If you are using the default response rule, select an authentication method, and then click Next.
http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx
2/5
3/15/2014
For more information about the default response rule, see IPsec Rules.
6. Leave the Edit properties check box selected, and then click Next. You can add rules to the policy as
needed.
Note
Only one filter list can be used per rule.
4. On the Filter Action tab, select the appropriate filter action, or click Add to add a new filter action.
For more information about creating and using filter actions, see Filter Actions.
Note
Only one filter action can be used per rule.
5. On the Authentication Methods tab, select the appropriate method, or click Add to add a new
method. For more information about creating and using authentication methods, see IPsec
Authentication.
Note
You can use several methods per rule. The methods are attempted in the order in which they
appear in the list. If you specify that certificates are used, put them together in the list in the order
you want them to be used.
6. On the Connection Type tab, select the connection type to which the rule applies. For more
information about connection types, see IPsec Connection Type
7. If you are using a tunnel, specify the endpoints on the Tunnel Settings tab. By default, no tunnel is
used. For more information about using tunnels, see IPsec Tunnel Settings. Tunnel rules cannot be
mirrored.
8. When all the settings are complete, click OK.
To change a policy rule
http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx
3/5
3/15/2014
Note
Only one filter list can be used per rule.
4. On the Filter Action tab, select the appropriate filter action, or click Add to add a new filter list. For
more information about creating and using filter actions, see Filter Actions.
Note
Only one filter action can be used per rule.
5. On the Authentication Methods tab, select the appropriate method or click Add to add a new
method. For more information about creating and using authentication methods, see IPsec
Authentication.
Note
You can use several methods per rule. The methods are attempted in the order in which they
appear in the list.
6. On the Connection Type tab, select the connection type to which the rule applies. For more
information about connection types, see IPsec Connection Type.
7. If you are using a tunnel, specify the endpoints on the Tunnel Settings tab. By default, no tunnel is
used. For more information about using tunnels, see IPsec Tunnel Settings.
8. When all the settings are complete, click OK.
Assigning a policy
To assign a policy to this computer
Right-click the policy, and then click Assign.
Note
Only one policy can be assigned to a computer at a time. Assigning another policy will
automatically unassign the currently assigned policy. Group Policy on your domain might assign
another policy to this computer and ignore the local policy.
For a computer-to-computer IPsec policy to be successful, you must create a mirrored policy on
the other computer and assign that policy to that computer.
To assign this policy to many computers, use Group Policy.
http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx
4/5
3/15/2014
See Also
Concepts
IPsec Authentication
IPsec Connection Type
IPsec Tunnel Settings
Filter Actions
Filter Lists
IPsec Rules
Yes
No
Community Additions
2014 Microsoft. All rights reserved.
http://technet.microsoft.com/en-us/library/cc730656(d=printer).aspx
5/5