Edit

IKE/AuthIP Exemptions

  • Article

The Internet Protocol security (IPsec) keying modules, Internet Key Exchange (IKE) and Authenticated Internet Protocol (AuthIP), in order to function, need to exempt their network traffic from the IPsec filtering.

In Windows Filtering Platform (WFP) the Base Filtering Engine (BFE) automatically adds IKE and AuthIP exemption filters when the first IKE or AuthIP main mode (MM) policy filter is added and deletes them when the last IKE or AuthIP MM policy filter is deleted. This way, the policy providers do not have to manage IKE and AuthIP filtering exemptions individually.

An IKE MM policy filter is a filter in the engine layer FWPM_LAYER_IKEEXT_V{4|6} that references a provider context of type FWPM_IPSEC_IKE_MM_CONTEXT.

An AuthIP MM policy filter is a filter in the engine layer FWPM_LAYER_IKEEXT_V{4|6} that references a provider context of type FWPM_IPSEC_AUTHIP_MM_CONTEXT.

An IKE or AuthIP exemption filter is a filter in the engine layer FWPM_LAYER_INBOUND_TRANSPORT_V{4|6} or FWPM_LAYER_OUTBOUND_TRANSPORT_V{4|6} auto-weighted in the FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS weight range.

The IKE and AuthIP exemptions implemented by BFE are as follows.

IP version Port Exemption
IPv4
 UDP:500 UDP:4500
 Permit IKE and AuthIP traffic at the inbound transport layer and at the outbound transport layer.
Permit IKE and AuthIP traffic at the ALE receive/accept and connect layers, but restrict it to local system.
IPv6
 UDP:500
 Permit IKE and AuthIP traffic at the inbound transport layer and at the outbound transport layer.
Permit IKE and AuthIP traffic at the ALE receive/accept and connect layers, but restrict it to local system.

The IKE and AuthIP exemption filters are open to all addresses. To implement a firewall with more granular control, policy providers should add filters in a weight range higher than FWPM_WEIGHT_RANGE_IKE_EXEMPTIONS.

IPsec Configuration

Filter Weight Assignment