Understanding IPSec Driver Startup Modes

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To understand how IPSec policies are processed and applied, it is important to understand the modes in which the IPSec driver operates. The IPSec driver can perform in any of three following computer startup modes:

• Permit. In this mode, the IPSec driver permits all inbound and outbound traffic. After persistent, local, or domain-based IPSec policy is applied, the IPSec driver no longer operates in this mode.

• Block. In this mode, the IPSec driver blocks all inbound and outbound traffic until persistent policy is applied, except for traffic that matches any specific permit filters that you configure (by using the netsh ipsec dynamic set config bootexemptions command), and DHCP traffic.

• Stateful. In this mode, the IPSec driver permits all outbound traffic initiated by the computer during startup. Inbound traffic that is sent in response to the outbound traffic is permitted, specific to the peer IP address, protocol, and source and destination ports. The IPSec driver also permits inbound traffic that matches any specific filters that you configure (by using the netsh ipsec dynamic set config bootexemptions command), and DHCP traffic. All other inbound unicast, broadcast, and multicast packets are dropped. The stateful inbound permit filters are discarded after the IPSec service starts and sets persistent IPSec policy.

If a persistent, local, or domain-based IPSec policy has been assigned to a computer, the IPSec Policy Agent sets the stateful mode for the IPSec driver by default. You can change the default startup mode for the IPSec driver by using the Netsh IPSec context or by modifying the registry.

To change the default startup mode of the IPSec driver by using the Netsh IPSec context, use the following command:

netsh ipsec dynamic set config bootmode value={stateful | block | permit}

To change the default startup mode of the IPSec driver by modifying the registry

1. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC, add a new DWORD entry named OperationMode

2. Assign this new registry entry any value from 0, 1, or 3 where:

   • A value of 0 specifies that the IPSec driver operate in Permit mode, to allow all inbound and outbound traffic.

   • A value of 1 specifies that the IPSec driver operate in Block mode, except to allow traffic that matches any specific permit filters that you configure by using Netsh, and DHCP traffic.

   • A value of 2 is reserved.

   • A value of 3 specifies that the IPSec driver operate in Stateful mode and permits inbound traffic that matches any specific filters that you configure (by using the netsh ipsec dynamic set config bootexemptions command), and DHCP traffic.

3. Restart the computer.

Caution

• Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference on the Windows Server 2003 Deployment Kit companion CD or at https://www.microsoft.com/reskit.