What Is IPSec Policy Extension?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

What Is IP Security Policy Extension?

In this section

  • IPSec Policy Settings and Rules

  • IPSec Policy Core Scenarios

  • IPSec Policy Advantages

  • Related Information

Internet Protocol Security (IPSec) is an architecture defined by the Internet Engineering Task Force (IETF) RFC 2401. This architecture involves several protocols that perform various functions in the architecture.

A network is not secure until servers can identify the computers communicating with them. IPSec enables secure, trusted communications between IP addresses. The system behind the IP address has an identity that is verified by using an authentication process. The only computers that must be aware of IPSec are the sending and receiving computers. Each computer handles security at its respective end, and assumes that the medium over which the communication takes place is not secure. Any computers that route data between the source and destination computer are not required to support IPSec.

You can deploy IPSec in several scenarios:

  • A local area network (LAN) for client/server and server-to-server.

  • A wide area network (WAN) for router-to-router and gateway-to-gateway.

  • A remote network’s dial-up clients and for Internet access from private networks.

Both the sending and the receiving computer require IPSec configuration (an IPSec policy) to specify options and security settings to enable the two systems to agree on how to secure traffic between them. The IP Security Policies extension of the Group Policy Object Editor snap-in is used to configure IPSec policies based on Active Directory. You can also configure IPSec policies on a computer that is not a domain member; however, it is more difficult to assign and manage IPSec policy configurations and trust relationships for computers that are not members of a trusted domain.

IPSec Policy Settings and Rules

An IPSec policy contains general IPSec policy settings that apply regardless of the rules that are configured, and one or more IPSec policy rules that determine IPSec behavior.

General IPSec Policy Settings

The general IPSec policy settings specify the name of the policy, its description for administrative purposes, polling interval for policy change, key exchange settings, and key exchange methods. The following table lists these general settings.

General IPSec Policy Settings

Settings Description


The name for the policy.


The optional text description used to describe the purpose of the IPSec policy. It is recommended that you complete and update this description to provide a summary of the settings and rules for the policy.

Policy change poll interval

Specifies the number of minutes between consecutive polls for changes in IPSec policies based on Active Directory. This polling does not detect a change in domain or organizational unit membership, or the assignment or removal of assignment of a new policy. These events are detected when the Winlogon service polls for changes in Group Policy, which occurs every 90 minutes by default.

Key exchange settings

Define the way in which new keys are derived and how often they are renewed.

Key exchange methods

Determine the ways in which identities are protected during the key exchange.

The default key exchange settings and methods are configured to work for most IPSec deployments. Unless there are special security requirements, default settings should not have to be changed.

IPSec Policy Rules

IPSec policy rules specify settings such as the type of traffic IPSec examines, whether to permit or block traffic, whether to negotiate security, and how to authenticate an IPSec peer.

IPSec rules include a list of IP filters that specify a particular subset of inbound or outbound network traffic that should be secured. A filter is required to cover any traffic to which an associated IPSec rule applies. IPSec filters are inserted into the IP layer of the TCP/IP networking protocol stack on the computer so that they can filter all inbound or outbound IP packets.

IP Filter Settings

An IP filter contains the following settings:

The source and destination address of the IP packet.

You can specify any IP address assigned to the IPSec peer, a single IP address, IP addresses by DNS name, or groups of addresses to specify IP subnets.

The protocol over which the packet is being transferred.

By default, all protocols in the TCP/IP protocol suite are selected. However, you can specify an individual protocol for this filter to meet special requirements, including custom protocols.

The source and destination port for TCP and UDP.

By default, all TCP and UDP ports are selected, but you can select a specific TCP or UDP port.

IPSec Rule Entries

An IPSec rule contains the following configurable entries:

Filter list.

This list contains one or multiple predefined filters that specify IP addresses and the types of traffic to which an action (permit or block traffic, or negotiate security) is applied.

Filter action.

This entry specifies the security requirements for data transmission.

You can configure one of the following options for a filter action:

  • Permit. Select this option to permit traffic. IPSec passes this traffic without modification or the requirement for security. This is appropriate for traffic from specific computers that are not IPSec-capable. Be sure to limit the IP filter list to a minimal scope when using this type of filter action, so you do not let traffic through which should be secured.

  • Block. Select this option to block traffic. IPSec silently discards this traffic. Be sure to use an IP filter list that appropriately defines the scope of traffic when using a blocking filter action so that you do not block valid computers from communicating.

  • Negotiate security. Select this option to negotiate IPSec parameters. IPSec requires the negotiation of security associations and the sending or receiving of IPSec-secured traffic. If you choose this option, you can also configure: security methods; allowance of initial incoming unsecured traffic (Accept unsecured communication, but always respond using IPSec); enabling of communication with non-IPSec-enabled computers (Allow unsecured communication with non-IPSec-aware computer); and generation of session keys from new keying material (Use session key perfect forward secrecy (PFS)).


This entry contains one or more authentication methods in order of preference that are used for protection during Internet Key Exchange (IKE) negotiations. The available authentication methods are the Kerberos v5 protocol, the use of a certificate issued from a specified certification authority, or a pre-shared key. The IKE protocol securely establishes a trust relationship between each computer, negotiates security options, and dynamically generates shared, secret cryptographic keying material.

Tunnel endpoint.

This entry contains settings that determine whether traffic is tunneled and, if it is, the tunnel endpoint. The tunnel endpoint is configured on the Tunnel Setting tab in the properties of an IPSec rule within an IPSec policy.

Connection type.

This entry contains a setting that specifies whether the rule applies to only local area network (LAN) connections, to only Point-to-Point Protocol (PPP)-based connections, or to both types of connections. The interface applicability is configured on the Connection Type tab in the properties of an IPSec rule within an IPSec policy.

For more detailed information about IPSec, see “What Is IPSec?” in the Networking collection.

IPSec Policy Core Scenarios

Corporate networks face various types of external and internal threats from untrusted computers, such as denial-of-service attacks, data corruption, and data theft. Network-based attacks on any application or service running on an internal corporate network server can result in:

  • Loss of service through denial-of-service of the application, the service, or the network.

  • Data corruption.

  • Theft of information such as user credentials or data theft.

  • Administrative control of the server or other network computers.

To protect network servers against network-based attacks, administrators can use IPSec. To provide enhanced security for networks against untrusted network attacks, you can require IPSec-authenticated, signed, and encrypted communication between computers.

You can use IPSec as part or your organization’s security strategy to provide protection against network-based attacks from untrusted computers. IPSec is intended for use in environments where untrusted network access and attacks on network traffic are a realistic threat.

The features of IPSec (such as strong, cryptographic-based authentication and encryption) make it particularly useful for securing traffic that must traverse untrusted network paths such as the corporate intranet or the Internet. IPSec is also appropriate for securing traffic that uses protocols and applications that do not provide sufficient security for communications.

By using policy based on Active Directory, you can secure most communications for a group of servers. You can also use command-line tools to create, modify, and assign IPSec policies. The tools you use vary, depending on the operating system running on the computers. For more information about command-line tools, see the “IPSec Policy Extension Tools and Settings” section in this collection.

IPSec Policy Advantages

IPSec provides a key line of defense against private network and Internet attacks. IPSec keeps data intact as it is transmitted across the network and protects communications between private network computers, domains, sites, remote sites, extranets, and dial-up clients.

By using cryptographic protection services, security protocols, and dynamic key management, IPSec:

  • Protects the content of IP packets.

  • Provides a defense against active and passive network attacks by using packet filtering and the enforcement of trusted communication.

IPSec provides protection against the following types of attacks:

Sniffers (lack of confidentiality).

The Encapsulating Security Payload (ESP) protocol in IPSec encrypts the payload of IP packets to provide data confidentiality.

Data modification.

IPSec uses cryptography-based keys, shared only by the sending and receiving computers, to create a cryptographic checksum for each IP packet. Any modification to the packet data alters the checksum, indicating to the receiving computer that the packet was altered in transit.

Identity spoofing, password-based, and application-layer attacks.

IPSec permits the exchange and verification of identities without exposing that information to interpretation by an attacker. To establish trust between the communicating systems, and to ensure that only trusted systems can communicate with each other, IPSec uses mutual authentication. After identities are established, IPSec uses cryptography-based keys to create a cryptographic checksum for each IP packet. The checksum ensures that only the computers that have knowledge of the keys could have sent each packet.

Man-in-the-middle attacks.

IPSec combines mutual authentication with shared, cryptography-based keys to provide end-to-end data integrity and information hiding.

Denial-of-service attacks.

IPSec uses IP packet filtering methodology to determine whether communication is allowed, secured, or blocked, according to the IP address ranges, IP protocols, or specific TCP and UDP ports.

IPSec Management with Group Policy

To provide strong, cryptography-based security to protect data, and to reduce administrative costs, IPSec uses policy-based administration. You can configure IPSec policies to meet the security requirements of a computer, application, organizational unit, domain, site, or global enterprise. You can use the IP Security Policies Management snap-in provided in Windows XP, Windows 2000, and Windows Server 2003 to define IPSec policies for computers through Active Directory (for domain members), or on the local computer (for computers that are not members of a domain).

The following resources contain additional information that is relevant to this section: