Controlling IPSec Behavior Using Group Policy

When an IPSec policy is assigned to a computer, all incoming and outgoing packets are checked against one or more rules. The IPSec policies of both the initiator and the target devices determine the resulting connection policy.

During Internet Key Exchange (IKE) negotiation, the two devices mutually determine what specific parameters comply with the rules on both ends. For instance, the two devices could agree that all traffic between them should use Authenticated Header (AH) protection, the SHA-1 hashing algorithm, and certificate-based authentication.

If no mutually acceptable combination exists, the connection request terminates.

Each rule has the following elements:

Filters. A filter defines a template that network traffic must match for the rule to be applied. It could be so broad as to include all IP traffic, or so specific as to limit traffic to a single application protocol, such as Telnet, from a single IP address.

Filter actions. For all packets that match a filter, the filter action describes what happens with those packets. Each packet will either be permitted to pass unsecured, will be blocked, or will negotiate IPSec security with the destination computer. If security is required, the filter action describes whether to use the AH or Encapsulating Security Payload (ESP) protocol, defines which hashing and encryption algorithms are acceptable for each method, and ranks all possible combinations in order of preference. Windows 2000 IPSec supports the 56-bit Data Encryption Standard (DES), the 168-bit TripleDES (3DES) encryption algorithms, and the Secure Hash Algorithm-1 (SHA-1) and Message Digest 5 (MD5) hashing algorithms.