Default IPSec policies

Windows XP provides a set of predefined IPSec filter lists and filter actions and default policies. This is only intended to provide an example. It is not designed for operational use without modification. A knowledgeable IPSec network administrator or advanced user should design new, custom polices for operational use.

Computers that are connected to the Internet must be carefully protected from network attacks with custom policies. The default policies are defined as examples for intranets because they allow a computer to receive unsecured traffic. The default policies are designed for computers that are members of an Active Directory domain.

Predefined filter lists

The following predefined filter lists are provided as examples for use in the default policies:

All ICMP Traffic 

A filter list for all ICMP traffic (IP protocol 1) sent and received between this computer and all other computers.

All IP Traffic 

A filter list for all IP traffic sent and received between this computer and all other computers. All broadcast, multicast, and Internet Key Exchange (IKE) traffic is excluded. By default, all Kerberos and Resource Reservation Protocol (RSVP) traffic is also excluded. However, you can include Kerberos and RSVP traffic by editing the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC. Add a new value named NoDefaultExempt and assign to it a value of 1. For more information about adding values to registry keys, see To add a value

 Caution

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Predefined filter actions

The following predefined filter actions are provided as examples for use in the default policies:

Permit 

Traffic is permitted (the security method is set to Permit).

Request Security (Optional) 

Traffic is secured (the security method is set to Negotiate security), however, the following exceptions apply:

Initial incoming unsecured communication is allowed. This behavior is known as inbound passthrough.

If security negotiation fails after 3 seconds, unsecured communication to a non-IPSec-aware computer is allowed. This filter action secures traffic to IPSec-aware computers, but allows unsecured communication if it is required. This behavior is known as fallback to clear.

In order to avoid the potential for denial-of-service attacks, this filter action must not be used on the Internet.

The following table lists the security methods (in preference order) for the Request Security (Optional) predefined filter action.

TypeAH integrityESP confidentialityESP integrityKey lifetimes (KB/sec)

Custom

None

3DES

SHA1

100000/900

Custom

None

DES

SHA1

100000/900

Custom

SHA1

None

None

100000/300

Custom

MD5

None

None

100000/300

The security negotiation for traffic using this filter action attempts ESP encryption (first 3DES, and then DES) with SHA1 integrity and then AH integrity (first SHA1, and then MD5).

Require Security 

Traffic is secured (the security method is set to Negotiate security), however, initial incoming unsecured communication is allowed (inbound passthrough is enabled). Unsecured communication with non-IPSec-aware computers is not allowed (fallback to clear is disabled). For example, an incoming connection request packet is allowed. The computer's reply to the connection request matches the outbound filter, causing a request for security to be sent to the sender of the unsecured traffic. If security negotiation is successful, traffic in both directions is required to be secure. If security negotiation is not successful, outgoing traffic is not allowed. The computer might continue to receive incoming unsecured traffic and will continue to attempt to negotiate security.

In order to avoid the potential for denial-of-service attacks, this filter action must not be used on the Internet.

The following table lists the security methods (in preference order) for the Require Security predefined filter action.

TypeAH integrityESP confidentialityESP integrityKey lifetimes (KB/sec)

Custom

None

3DES

SHA1

100000/900

Custom

None

3DES

MD5

100000/900

Custom

None

DES

SHA1

100000/900

Custom

None

DES

MD5

100000/900

The security negotiation for traffic using this filter action will only attempt to negotiate ESP encryption (first 3DES, and then DES) with differing ESP authentication methods (first SHA1, and then MD5).

The most secure filter action is one that negotiates security and neither receives unsecured traffic (inbound passthrough is disabled) nor allows communication with non-IPSec-aware computers (fallback to clear is disabled). This is known as a lockdown filter action. When a server is using this filter action, clients must initiate secured communication before sending any IP traffic. The IPSec policy for client computers must be configured with additional rules that force the client to negotiate security with the server. A client configured with policy that consists of only the default response rule is not able to communicate with a lockdown server.

Predefined rules

The only predefined rule that is available on all policies is the default response rule. The default response rule is automatically created in a new policy and cannot be created manually. It is used to respond to security requests when no other rule applies. For example, a client policy that enables a client to respond to security requests but does not secure any traffic by default, would have only the default response rule active. In some cases, it is enabled by default. You can disable the default response rule on the Rules tab in properties for a policy. You can also modify the authentication method and security methods of the default response rule for specific needs. For more information, see Default response rule

Default policies

The following are provided as examples for use in the default policies:

Client (Respond Only) 

This is an example policy for computers that secure communication on request. For example, intranet clients might not require IPSec except when requested by another computer. This policy enables the computer on which it is active to respond to requests for secured communications. This policy contains the default response rule, which creates dynamic IPSec filters for inbound and outbound traffic based on the requested protocol and port traffic for the communication that is being secured.

This policy has the following settings:

First rule (default response rule)

IP Filter List: <Dynamic>

Filter Action: Default Response

Authentication: Kerberos

Tunnel Setting: None

Connection Type: All

Server (Request Security) 

This is an example policy for computers that should secure communications in most cases, allowing unsecured communication with non-IPSec-aware computers. With this policy, the computer accepts unsecured traffic, but always attempts to secure additional communications by requesting security from the original sender. This policy allows the entire communication to be unsecured if the other computer is not IPSec-enabled. For example, communication to specific servers can be secure while allowing the server to communicate in an unsecured manner to accommodate a mixture of clients (some of which support IPSec and some of which do not).

To test the use of this policy, assign this policy to a server computer and assign the Client (Respond Only) policy to a client computer. When the client computer attempts to communicate with the server, the server requests secure communications. In addition, attempt to communicate with the server using a computer that either is not IPSec-capable or that has any IPSec policy assigned. When the non-IPSec-capable client attempts to communicate with the server, the server requests secure communications. However, the negotiation fails and the non-IPSec-capable computer connects to the server using unsecured communications.

This policy has a rule to request security for all IP traffic, a rule to permit ICMP traffic, and the default response rule to respond to requests for security from other computers.

This policy has the following settings:

First rule

IP Filter List: All IP Traffic

Filter Action: Request Security (Optional)

Authentication: Kerberos

Tunnel Setting: None

Connection Type: All

Second rule

IP Filter List: All ICMP Traffic

Filter Action: Permit

Authentication: Kerberos

Tunnel Setting: None

Connection Type: All

Third rule (default response rule)

IP Filter List: <Dynamic>

Filter Action: Default Response

Authentication: Kerberos

Tunnel Setting: None

Connection Type: All

Secure Server (Require Security) 

This is an example policy for computers on an intranet that require secure communications, such as a server that transmits highly sensitive data. Administrators can use this IPSec policy as an example to create their own custom IPSec policy for production use. The filters used in this policy require all outbound communication to be secured, allowing only the initial inbound communication request to be unsecured.

To test the use of this policy, assign this policy to a server computer and assign the Client (Respond Only) policy to a client computer. When the client computer attempts to communicate with the server, the server requests secure communications. In addition, attempt to communicate with the server using a computer that either is not IPSec-capable or that has any IPSec policy assigned. When the non-IPSec-capable client attempts to communicate with the server, the server requests secure communications. However, the negotiation fails and the non-IPSec-capable computer does not connect to the server.

This policy has a rule to require security for all IP traffic, a rule to permit ICMP traffic, and the default response rule to respond to requests for security from other computers.

First rule

IP Filter List: All IP Traffic

Filter Action: Require Security

Authentication: Kerberos

Tunnel Setting: None

Connection Type: All

Second rule

IP Filter List: All ICMP Traffic

Filter Action: Permit

Authentication: Kerberos

Tunnel Setting: None

Connection Type: All

Third rule (default response rule)

IP Filter List: <Dynamic>

Filter Action: Default Response

Authentication: Kerberos

Tunnel Setting: None

Connection Type: All



© 2017 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy & Cookies