IPsec Authentication

Applies To: Windows Server 2008

Each rule defines a list of authentication methods. Each authentication method defines the requirements for the way in which identities are verified in communications to which the associated rule applies. The methods are attempted by each peer in the order in which they are listed. The two peers must have at least one common authentication method or communication will fail. Creating multiple authentication methods increases the chance that a common method between two computers can be found.

Note

The order of these methods is also important because only the first common method is attempted; if it fails to authenticate, no other methods in the list will be attempted, even if these methods would have succeeded.

Authentication methods

Only one authentication method can be used between a pair of computers, regardless of how many are configured. If you have multiple rules that apply to the same pair of computers, you must configure the authentication methods list in those rules to enable the pair to use the same method. For example, if a rule between a pair of computers specifies only Kerberos for authentication and filters only TCP data and, in another rule, specifies only certificates for authentication and filters only UDP data, authentication will fail. Authentication methods are configured on the Authentication Methods tab of the Edit Rule Properties or Add Rule Properties property sheets.

  • The Kerberos version 5 authentication protocol is the default authentication technology. This method can be used for any computers running the Kerberos V5 authentication protocol that are members of the same or trusted domains. This method is useful for domain isolation using Internet Protocol security (IPsec).

  • A public key certificate should be used in situations that include Internet access, remote access to corporate resources, external business partner communications, or computers that do not run the Kerberos V5 authentication protocol. This requires that at least one trusted certification authority (CA) has been configured. Windows Server® 2008 supports X.509 Version 3 certificates, including CA certificates generated by commercial certifying authorities.

  • A preshared key can be specified. This is a shared, secret key that is previously agreed upon by two users. It is simple to use and does not require the client to run the Kerberos V5 authentication protocol or have a public key certificate. Both parties must manually configure IPsec to use this preshared key. This is a simple method for authenticating standalone computers or any computers that are not using the Kerberos V5 authentication protocol. A preshared key is for authentication protection only; it is not used for data integrity or encryption.

Important

The preshared key is stored in plaintext and is not considered a secure method. Preshared keys should be used for testing purposes only.

See Also

Concepts

Filter Actions
IPsec Rules