Configure custom IPSec security methods
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To configure custom IPSec security methods
Create a console containing IP Security Policies. Or, open a saved console file containing IP Security Policies.
Double-click the policy that you want to modify.
Double-click the rule that you want to modify, and then click the Filter Action tab.
Double-click the filter action that you want to modify.
On the Security Methods tab, do one of the following:
To add a new security method, click Add.
To modify an existing security method, click the security method that you want to modify, and then click Edit.
To remove a security method, click the security method that you want to remove, and then click Remove.
If you are adding or modifying a security method, on the Security Method tab, click Custom, and then click Settings.
To provide integrity for both the packet's addressing information (IP header) and the data, select the Data and address integrity without encryption (AH) check box, and then, in Integrity algorithm, click one of the following:
MD5 to use the Message Digest 5 (MD5) integrity algorithm, which uses a 128-bit key.
SHA1 to use the Secure Hash Algorithm 1 (SHA1) integrity algorithm, which uses a 160-bit key.
To provide both integrity and encryption (confidentiality) for the data, select the Data integrity and encryption (ESP) check box, and then, in Integrity algorithm, click one of the following:
<None> to use no data integrity.
If you have enabled AH, you can click None for the ESP integrity algorithm to improve performance.
MD5 to use the MD5 integrity algorithm, which uses a 128-bit key.
SHA1 to use the SHA1 integrity algorithm, which uses a 160-bit key.
If you selected the Data integrity and encryption (ESP) check box, in Encryption algorithm, click one of the following:
<None> to use no encryption.
DES to use Data Encryption Standard (DES) with a 56-bit key.
3DES to use the triple DES (3DES) with three 56-bit keys.
To change the default session key lifetime settings, do one of the following:
To specify the number of kilobytes of data transferred before a new session key is generated, select the Generate a new key every check box, and then type a value in Kbytes.
To specify the number of seconds that elapse before a new session key is generated, select the Generate a new key every check box, and then type a value in seconds.
Notes
To manage Active Directory-based IPSec policies, you must be a member of the Domain Admins group in Active Directory, or you must have been delegated the appropriate authority. To manage local or remote IPSec policies for a computer, you must be a member of the Administrators group on the local or remote computer. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. For more information, see Default local groups and Default groups.
To create a console containing IP Security Policies, start the IP Security Policies snap-in. To open a saved console file, open MMC. For more information, see Related Topics.
You cannot choose <None> for both the ESP integrity and the encryption algorithm.
Use caution when specifying lifetimes. The default internal lifetimes should work in most environments and be interoperable with other products. If your security requirements demand shorter lifetime values, you can explicitly set appropriate lifetime values in each security method. The lowest values that are explicitly set on initiator and responder will be used.
Using shorter lifetime values does not increase the security with which data is protected. Short key lifetimes will only decrease the amount of data that is revealed if an attacker discovers one encryption key. Instead of adjusting the lifetime values lower, consider using a stronger encryption algorithm to protect data, such as 3DES.
Before changing the default lifetimes, you should understand how lifetimes and rekeying work in detail. For more information, see Filter action in Related Topics.
Computers running Windows 2000 must have the High Encryption Pack or Service Pack 2 (or later) installed in order to use the 3DES algorithm. If a computer running Windows 2000 receives a 3DES setting, but does not have the High Encryption Pack or Service Pack 2 (or later) installed, the 3DES setting in the security method is set to the weaker DES, to provide some level of confidentiality for communication, rather than blocking all communication. However, you should only use DES as a fallback option if not all computers in your environment support the use of 3DES. Computers running Windows XP or a Windows Server 2003 operating system support 3DES and do not require installation of the High Encryption Pack.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
See Also
Concepts
Start the IP Security Policy Management snap-in
Open MMC
Add, edit, or remove IPSec security methods
Filter action
Working with MMC console files