Configure Key Exchange (Main Mode) Settings on Earlier Versions of Windows

Applies To: Windows 7, Windows Essential Business Server, Windows SBS 2003, Windows SBS 2008, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Vista

After you have created a new IP Security policy, you can configure the key exchange algorithms that will be used to negotiate and specify how frequently the keys must be changed.

You must specify algorithm combinations that are compatible with the other computers with which the local computer must communicate. Each combination includes an encryption algorithm, an integrity algorithm, and a Diffie-Hellman Group. The order in which the combinations are listed is the order in which they are tried, so place the ones you need most frequently at the top of the list.


We recommend that you do not include DES, MD5, or Diffie-Hellman Group 1 in any combination. They are no longer considered secure, and are included for backward compatibility only.
Use the strongest algorithms that are supported by your computers. If you have some computers that do not support some of the stronger algorithms, then include combinations that include the stronger algorithms for those computers that can use them, and include combinations that are less strong for compatibility with computers that do not support the stronger ones. Place the combinations with the stronger algorithms at the top of the list to ensure that they are used if both computers support them.

Administrative credentials

To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.

To configure key exchange settings

  1. Open the Group Policy Management Console to IP Security Policies.

  2. In the details pane, right-click the IP Security policy that you want to modify, and then click Properties.

  3. Select the General tab, and then click Settings.

  4. Specify a key lifetime for the main mode key, in both minutes and sessions. When either value is reached, Windows generates a new main mode key.

  5. Click Methods.

  6. In the Key Exchange Security Methods dialog box, click Add to create a new combination, or select an existing combination from the list, and click Edit.

  7. In the IKE Security Algorithms dialog box, select an integrity algorithm, an encryption algorithm, and a Diffie-Hellman group, and then click OK.

  8. After you add or modify the last combination, click OK three times to save your changes.

If you arrived at this page by clicking a link in a checklist, use your browser’s Back button to return to the checklist.