Configuring IPsec Settings
Updated: December 1, 2009
Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista
The IPsec Settings dialog box shown in Figure 5 is displayed when you click the Customize button on the IPsec Settings tab of the Windows Firewall with Advanced Security on Local Computer property sheet. These settings are used when you create computer connection security rules. Note that if you configure these IPsec defaults by using Group Policy, then the user is informed by the message at the top of the dialog box, and the affected controls are disabled. You can still click the Customize buttons to see the different settings, but most of the controls on those dialog boxes are also disabled.
The Customize IPsec settings dialog box only allows you to create one main mode configuration. In Windows 7 and Windows Server 2008 R2, you can create additional main mode rules that enable you to use different main mode settings for connections to different computers. Previous versions of Windows Firewall with Advanced Security supported only the single main mode configuration that you can set on this dialog box. Main mode rules can be created by using the Netsh command-line tool. If a connection does not match a main mode rule, then the main mode settings on this dialog box are used for the connection. For more information, see Netsh AdvFirewall MainMode Commands (http://go.microsoft.com/fwlink/?linkid=147508)
This dialog box allows you to choose the following options:
Key Exchange (Main Mode). To enable secure communication, two computers must be able to access the same shared key without transferring that key across the network. Click the Customize button to configure security methods, key exchange algorithms, and key lifetimes. These settings are used to protect the IPsec negotiations that in turn determine the protection used for the rest of the data sent over the connection.
Data Protection (Quick Mode). IPsec data protection defines the algorithms and protocols used to provide data integrity and encryption for a connection. Data integrity ensures that data is not modified during transit. Data encryption uses cryptography to conceal the information. Windows Firewall with Advanced Security uses Authentication Header (AH) or Encapsulating Security Payload (ESP) to provide data protection. Windows Firewall with Advanced Security uses ESP for data encryption.
Authentication Method. This setting lets you choose the default authentication method for IPsec connections on the local computer, unless a different method is specified by a rule or by Group Policy settings. The default authentication method is Kerberos version 5, which is useful on rules that implement domain isolation. You can also restrict connections to only those computers that have a certificate from a specified certification authority (CA).