The IPSec driver receives the active IP filter list from the IPSec Policy Agent, as shown in the following illustration, and then attempts to match every inbound and outbound packet against the filters in the list.
When a packet matches a filter, it applies the filter action. When a packet does not match any filters, the packet is passed back without modification to the TCP/IP driver to be received or transmitted.
If the filter action permits transmission, the packet is received or sent with no modifications. If the action blocks transmission, the packet is discarded. If the action requires the negotiation of security, main mode and quick mode SAs are negotiated.
The negotiated quick mode security association (SA) and keys are used with both outbound and inbound processing. The IPSec driver stores all current quick mode SAs in a database. The IPSec driver uses the Security Parameters Index (SPI) field to match the correct SA with the correct packet.
When an outbound IP packet matches the IP filter list with an action to negotiate security, the IPSec driver queues the packet and then notifies Internet Key Exchange (IKE), which begins security negotiations with the destination IP address of that packet. If several outbound packets are going to the same destination and match the same filter before IKE has finished the negotiation, then only the last packet sent is saved.
After a successful negotiation is complete, the IPSec driver on the sending computer:
If the negotiation failed, the IPSec driver discards the packet.
When an IPSec-secured inbound packet matches the IP filter list, the IPSec driver on the receiving computer:
When an unsecured IP packet is received, the IPSec driver matches the packet against all filters in the filter list. If a match occurs and the filter action for that filter either requires IP security or blocks the packet, then the packet is discarded.
The IPSec driver matches all inbound unsecured packets with the list of filters that specify IPSec tunnels first, and then matches the packet with all filters that specify end-to-end (transport) filters. The IPSec driver does not filter certain types of IP packets. For more information, see To add or edit IPSec filters