Add Authentication Methods to an IPsec Rule on Earlier Versions of Windows

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

You can add a single authentication method to an IPsec rule from the Authentication Method page of the Security Rule Wizard. If your design calls for more than one authentication method, follow the steps in the wizard to add the first, and then follow these steps to add the others. This procedure assumes that you have just finished creating the rule by using the wizard, and the list of rules in the IPsec policy is still on the display.

To add additional authentication methods to an IPsec rule

  1. Click the rule to which you want to add authentication methods, and then click Edit.

  2. On the rule Properties dialog box, select the Authentication Methods tab.

  3. Click Add.

  4. Configure your second authentication method. For example, if you want to add certificate-based authentication so that your computers can interoperate with computers running operating systems other than Windows:

    1. Select Use a certificate from this certification authority (CA).

    2. Click Browse.

    3. Select the appropriate CA from the list, and then click OK.


You must distribute a copy of a certificate issued by the selected CA to all computers that must be able to use this IPsec rule. You can use X.509 version 3 certificates generated either by a CA server operated by your organization or purchased from a commercial certification authority. Only root certificates can be used; certificates from intermediate CAs do not work. For more information, see Checklist: Implementing a Certificate-based Isolation Policy Design in this guide.

  1. Click OK on each dialog box to return to the Group Policy Management Editor.