Configure IPsec Support for Windows PE Client
Applies To: Windows 7, Windows Server 2008 R2
This content applies to Windows 7. For Windows 8 content, see Windows Deployment with the Windows ADK.
This topic describes how to configure an IP Security (IPsec) network for Windows® PE Clients. Windows PE supports IPsec protocol by default, but in some cases the computer you want to connect to will not allow a connection. You must configure the security policy to allow the Windows PE client to connect.
By default, Windows PE IPsec policy uses the following security and authentication methods:
MM Security Offer: AES128-SHA1-ECP256;
Where MM is Main Mode.
MM Authentication Method: Anonymous
QM Policy: 3DES-SHA1; AES128-SHA1
Where QM is Quick Mode.
QM Authentication Method: NTLMv2
To configure an IPsec policy
On the networked computer you are trying to access, configure the following:
Click Start, point to Administrative Tools, and then click Windows Firewall with Advanced Security.
In the left pane, right-click Windows Firewall with Advanced Security and then select Properties.
On the Windows Firewall with Advanced Security on Local Computer Properties window, select the IPsec Settings Tab. Under the IPsec defaults section, click the Customize button.
The Customize IPsec Settings window opens.
In Customize IPsec Settings, in Key exchange (Main Mode), select Customize.
The Customize Advanced Key Exchange Settings window opens.
In the Key Exchange Algorithm section, select Elliptical Curve Diffie-Hellman P-256.
In the Security Methods section, verify that the SHA1 (Integrity) AES-128 (Encryption) method is included in the list of security methods, and then click OK.
In the left pane, right-click the Connection Security Rule Node, and then select New Rule.
In the New Connection Security Rule Wizard, select Custom, and then click Next.
In the Endpoints section, add the IP addresses of the Windows PE computers (Endpoint 1) and the local computer (Endpoint 2), and then click Next.
In the Requirements section, select the Require Authentication for inbound and outbound connections option, and then click Next.
In the Authentication Method section, select the Advanced option, and then click the Customize button.
In Customize Advanced Authentication Methods, in the First authentication area, select the First Authentication Method is optional check box.
In Customize Advanced Authentication Methods, in the Second authentication area, click Add, and then, in Second Authentication Method, select User (NTLMv2), click OK, and then click OK again.
The New Connection Security Rule Wizard window opens.
In the Profile window, select the profile to which this rule applies, and then click Next.
In the Name window, enter a name and description for the rule, and then click Finish.