To add or edit IPSec filters
In IP Security Policies, double-click the policy that you want to modify.
Double-click the rule that contains the IP filter list you want to modify.
Do one of the following:
If you are adding an IPSec filter list, on the IP Filter List tab, click Add.
If you are reconfiguring an existing IP filter list, double-click the IP filter list.
In IP Filter List, do one of the following:
Use the IP Filter Wizard to create a filter
Confirm that the Use Add Wizard check box is selected, and then click Add.
Create a filter manually
Clear the Use Add Wizard check box, and then click Add.
Reconfigure an existing filter
Double-click the filter.
On the Addressing tab, select the Source Address:
My IP Address
All IP addresses on the computer for which you are configuring this filter.
Any IP Address
A specific DNS Name
The Domain Name System (DNS) name that you specify in Host name. The DNS name is resolved to its IP addresses, and then filters are automatically created for the resolved IP addresses. This option is only available when creating new filters.
A Specific IP Address
The IP address that you specify in IP Address.
A Specific IP Subnet
The IP address that you specify in IP Address and the subnet mask that you specify in Subnet Mask.
Click Destination Address and repeat step 5 for the destination address.
Under Mirrored, select the appropriate setting:
Automatically create two filters based on the filter settings, one for traffic to the destination and one for traffic from the destination
Select the Mirrored check box.
Create a single filter based on the filter settings
Clear the Mirrored check box.
Create a filter for an IPSec tunnel
Clear the Mirrored check box. For IPSec tunnels, you must create two filter lists: one list describes the traffic to be sent through the tunnel (outbound traffic) and another describes the traffic to be received through the tunnel (inbound). Then, create two rules that use the inbound and outbound filter lists in your policy.
On the Description tab, in Description, type a description for this filter (for example, specify to what computers and traffic types it applies).
If you require additional IP filtering by a specific protocol or port number, on the Protocol tab, configure advanced filter settings.
Filters are the most important part of IPSec policy for a computer which is protected by IPSec. If you do not specify the proper filters in either client or server policies, or if the IP addresses change before the policy's filters are updated, security might not be provided.
Never use DHCP-assigned IP addresses in an IPSec filter. Use My IP Address as a source or destination in the policy that is used by a computer that uses a DHCP address. Changes in IP addresses will then automatically update a My IP Address filter.
In the policy of a computer that will be requesting IPSec protection for its traffic, make sure the filter destination address is a static IP address for the destination computer. All IP addresses for the destination must be included in the filter list.
When adding a new static IP address to a protected computer:
Modify the IPSec policy filters on all clients and servers that make security requests to the protected computer. Ensure that those clients have updated their policy before adding the new address.
Inspect the policy being used on the protected computer. If the filters specify static IP addresses for local connections, after adding the new IP address to the interface, edit and save the new filter list to include the new static IP address. My IP Address filters will be automatically updated when the new static IP address is added.
If the protected computer is a Web server and your clients use a proxy server, make sure that communications over all network paths are secured by IPSec:
Between the Web server and all clients that directly connect
Between the Web server and the proxy server
Between the proxy server and all clients of the proxy server
The following filters are internally defined to permit (not secure) this traffic:
Internet Key Exchange (IKE): Source Address = Any, Destination Address = Any, Protocol = UDP, Source port = 500, Destination port = 500
IP Multicast traffic
IP Broadcast traffic
Kerberos V5: Source Address = Any, Destination Address = Any, Protocol = UDP or TCP, Source port = 88, Destination port=88
Resource Reservation Protocol (RSVP): Source Address = Any, Destination Address = Any, Protocol = 46
By default, all Kerberos and Resource Reservation Protocol (RSVP) traffic is permitted. However, you can secure Kerberos and RSVP traffic by editing the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC. Add a new value named NoDefaultExempt and assign to it a value of 1. For more information about adding values to registry keys, see To add a value
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
To define Active Directory-based IPSec policy, you must have Group Policy administrative permissions. To manage local or remote IPSec policy for a computer, you must be a member of the Administrators group on the local or remote computer.
To configure IP protocol, TCP port, or UDP port settings for a filter, see Related Topics.
To open IP Security Policies, see Related Topics.
For IPSec tunnel rules, only address-based filters are supported. Protocol-specific and port-specific filters are not supported. Tunnel filters should not be mirrored.
Filters are applied in the order of most-specific filters first. Filters are not applied in the order in which they appear in the list.
If an outbound packet does not match any filter, it is sent unsecured.
If an inbound packet does not match any filter, it is permitted.
If an IKE security request is received, the source IP address of the request is used to find a matching filter. The security action and tunnel setting that is associated with that filter determines the IKE response.
The A specific DNS Name option is used when creating filters to create IP address-based filters by resolving a DNS name to its IP addresses. The use of a computer name is for the one-time resolution of DNS names to IP addresses when creating the filter. The computer name is not used after the filters are created.
All filters used in tunnel rules are matched first before end-to-end transport filters are matched.