An IPSec policy consists of one or more rules that determine IPSec behavior. IPSec rules are configured on the Rules tab in the properties of an IPSec policy. Each IPSec rule contains the following configuration items:
A single filter list is selected that contains one or more predefined packet filters that describe the types of traffic to which the configured filter action for this rule is applied. The filter list is configured on the IP Filter List tab in the properties of an IPSec rule within an IPSec policy.
A single filter action is selected that includes the type of action required (permit, block, or secure) for packets that match the filter list. For the secure filter action, the negotiation data contains one or more security methods that are used (in order of preference) during IKE negotiations and other IPSec settings. Each security method determines the security protocol (such as AH or ESP), the specific cryptographic algorithms, and session key regeneration settings used. The negotiation data is configured on the Filter Action tab in the properties of an IPSec rule within an IPSec policy.
One or more authentication methods are configured (in order of preference) and used for authentication of IPSec peers during main mode negotiations. The available authentication methods are the Kerberos V5 protocol, use of a certificate issued from a specified certification authority, or a preshared key. The negotiation data is configured on the Authentication Methods tab in the properties of an IPSec rule within an IPSec policy.
Specifies whether the traffic is tunneled and, if it is, the IP address of the tunnel endpoint. For outbound traffic, the tunnel endpoint is the IP address of the IPSec tunnel peer. For inbound traffic, the tunnel endpoint is a local IP address. The tunnel endpoint is configured on the Tunnel Setting tab in the properties of an IPSec rule within an IPSec policy. For more information, see Tunnel mode
Specifies whether the rule applies to local area network (LAN) connections, dial-up connections, or both. The connection type is configured on the Connection Type tab in the properties of an IPSec rule within an IPSec policy.
The rules for a policy are displayed in IP Security Policies in reverse alphabetical order based on the name of the filter list selected for each rule. There is no method for specifying an order in which to apply the rules in a policy. The IPSec driver automatically orders the rules based on the most specific to the least specific filter list. For example, the IPSec driver would apply a rule containing a filter list that specified individual IP addresses and TCP ports before a rule containing a filter list that specified all addresses on a subnet.
Default response rule
The default response rule, which can be used for all policies, has the IP filter list of <Dynamic> and the filter action of Default Response when the list of rules is viewed with the IP Security Policies snap-in. The default response rule cannot be deleted, but it can be deactivated. It is activated for all of the default policies and you have the option of enabling it when you create new IPSec policies with the IP Security Policy Wizard.
The default response rule is used to ensure that the computer responds to requests for secure communication. If an active policy does not have a rule defined for a computer that is requesting secure communication, then the default response rule is applied and security is negotiated. For example, when Computer A communicates securely with Computer B and Computer B does not have an inbound filter defined for Computer A, the default response rule is used.
Authentication methods and the connection type can be configured for the default response rule. The filter list of <Dynamic> indicates that the filter list is not configured, but that filters are created automatically based on the receipt of IKE negotiation packets. The filter action of Default Response indicates that the action of the filter (permit, block, or negotiate security) cannot be configured. However, you can configure:
The security methods and their preference order on the Security Methods tab in the properties of the default response rule in the IP Security Policies snap-in.
The authentication methods and their preference order on the Authentication Methods tab in the properties of the default response rule in the IP Security Policies snap-in. The default authentication method for the default response rule for new IPSec policies is configured with the IP Security Policy Wizard.