IPSec Security Policies

IPSec Security Policies are rules and filters that provide a specified level of security. You can create your own policies, but Windows provides three built-in ones:

Client (Respond Only). The client will use IPSec if requested but won’t initiate an IPSec session. In other words it will only use IPSec when asked to by the other machine (server).

Server (Request Security). Clients and Servers will communicate using IPSec if the machines support it. However if the machine doesn’t support it communication can take place unencrypted.

Secure Server (Require Server). Clients and Servers must use IPSec. If a machine doesn’t use IPSec then it will not be able to communicate with other machines.

Use the buttons below to navigate through the lesson


To create a new IPSec policy the Local Security Policy console is used. Click on
Start>Administrative Tools>Local Security Policy.

Right Click IP Security Policies on the Local Computer. Select Create IP Security Policy. Click Next. Type in a name and description for the new Policy into the relevant boxes. Click Next to continue

Requests for Secure Communication. Activate if required for earlier versions, click Next to continue. Click Finish and edit the properties. The policy has been created, click add to create IP Security rules for this policy. Click Next to continue.

The Tunnel Endpoint box can be used to configure IPSec for tunnelling mode. A tunnel is an encrypted tunnel passing through other networks. Tunnelling is normally used with remote access. The tunnel endpoint specifies which computer is closest to the tunnel endpoint. Tunnel endpoint is not required for this policy, click Next.

The Network Type page displays which types of network connections this Rule is for, e.g. A LAN or a Remote Access connection. Click on Next to continue. Click Add to create new IP filter. Fill in new IP filter name, then click Add. Click Next.

Fill in description and ensure Mirrored is checked. Click Next. Specify the source address of the traffic. From the drop down list select My IP Address. Click Next. From the Destination address drop down list select. A specific IP address or Subnet. Fill in the IP address of the destination machine. Click Next. IP Protocol Type for this rule select ICMP and Next to continue. Click Finish. The filter has been added. Click OK.

Select the IP filter. Click Next. Click Add to create a filter action. Click Next. Fill in Name and Description (optional).  Click Next to continue. Filter action options select Negotiate security then Next.

Communication with computers that do not support IPSec. Select Do not allow unsecured communication to secure all communication. Click Next. IP Traffic security select Integrity and encryption. Click Next. Click Finish to close the wizard. Select the filter and click Next. Authentication Method select Active Directory default Kerberos. The authentication method can be changed later. Click Next. Click Finish.

The IP Filter Lists shows which Filter this rule will use. Filters can be added here by selecting Add. The filter can also be modified by selecting Edit. The Filter Action page specified what action to take on the filter, in this example Require Security is enabled for all IP Traffic. Additional rules can be created or edited from here. The Connection Type page displays which types of network connections this Rule is for, e.g. A LAN or a Remote Access connection. The Tunnel Setting box can be used to configure IPSec for tunnelling mode. A tunnel is an encrypted tunnel passing through other networks. Tunnelling is normally used with remote access. The tunnel endpoint specifies which computer is closest to the tunnel endpoint. The authentication methods box specifies how the computers should authenticate with each other. Additional methods can be added using the Add button. The security methods will be used in descending order. Click on OK to close the properties box. An IPSec policy contains a rule or set of rules, these rules contain a filter and a filter rule. A filter states what machines to enable IPSec communication for, e.g. 10.1.0.1 to 10.1.0.2. The Filter rule says what rule should be applied to the filter, e.g. Require Security. The Default Response Rule is to enable IPSec but only use it if the server requests it. The general page displays the name and description for the policy.  The Check for policy changes box specifies how often Active Directory will be checked for any changes to this policy. This only works if this policy has been configured for a domain computer. Click on Settings to view Key Exchange settings. From the Key Exchange Settings page, settings for security keys can be configured. If The Master key Perfect Forward secrecy box is selected then no previously-used keying material or keys are re-used to generate additional keys. The minutes and sessions box can be used to configure how often the policy requires generation of new keys, either after a certain amount of time (480 minutes by default) or a certain number of sessions. Select the Methods box to view a list of security methods that will be used to protect the key exchange. The Security methods box shows the different security settings to be used to protect identities during authentication and key exchange. This list is in order of preference with the highest level of security being at the top. These settings should normally be left as the default. Click OK to close the dialogue box. The new policy is created but needs to be assigned in order to be active. Right click the rule. And select Assign. The policy is now assigned and active. Right click IP Security Policies and select All Tasks. Right click IP Security Policies and select All Tasks. Here you can create and manage policies, also import or export policies for use with Group Policy.

Configuring IPSec Settings for Connection Security Rules

You can define IPSec Settings in the Windows Firewall with Advanced Security (WFAS) node of a GPO or in the Windows Firewall with Advanced Security (WFAS) console. Right click Windows Firewall with Advanced Security. Select Properties. Select IPSec Settings. Select Customize. Select Data protection>Advanced. Select Customize. Select Require encryption for all connection security rules that use these settings. Data is now protected from modification on the network. Click OK to continue. IPSec exemptions change Exempt ICMP from IPSec to Yes.  Use this setting to prevent ICMP (Ping and Tracert) messages from being authenticated, encrypted, or both. Keeping ICMP messages unprotected allows you to perform basic network troubleshooting when IPSec cannot be successfully negotiated.