IPSEC FAQ

1
IPSECFAQ

• http//www.microsoft.com/windowsserver2003/techinf
  o/overview/ipsecfaq.mspx

2
What is IPsec?

• Internet Protocol security (IPsec) is a framework
  of open standards for ensuring private, secure
  communications over Internet Protocol (IP)
  networks, through the use of cryptographic
  security services. The Internet Engineering Task
  Force (IETF) IPsec working group defines the
  IPsec standards.
• IPsec is the long-term direction for secure
  networking. It provides aggressive protection
  against private network and Internet attacks
  through end-to-end security. The only computers
  that must know about IPsec protection are the
  sender and receiver in the communication. IPsec
  provides the ability to protect communication
  between workgroups, local area network computers,
  domain clients and servers, branch offices (which
  might be physically remote), extranets, and
  roving clients.
• The Microsoft Windows 2000, Windows XP, and the
  Windows Server 2003 family implementations of
  IPsec are IETF standards-based.

3
Where can I find background information on IPsec?

• For the IETF standards, see the IETF Internet
  Protocol Security working group.
• For an overview of IPsec in Windows Server 2003,
  see the Internet Protocol Security for Microsoft
  Windows Server 2003 white paper.
• For an overview of IPsec in Windows 2000, see the
  Internet Protocol Security for Microsoft Windows
  2000 Server white paper.

4
Where is the Microsoft IPsec documentation?

• IPsec documentation is included with Windows 2000
  (click Start, then click Help), Windows XP (click
  Start, then click Help and Support), and Windows
  Server 2003 (click Start, then click Help and
  Support). There are also IPsec chapters of the
  Windows 2000 Server Resource Kit, Windows Server
  2003 Deployment Guide, and the Windows Server
  2003 Technical Reference.
• For a list of all the resources for IPsec in
  Windows Server 2003, see the Windows Server 2003
  IPsec Web site.
• For a list of all the resources for IPsec in
  Windows 2000, see the Windows 2000 IPsec Web site.

5
What standards define IPsec?

• The following IETF standards define IPsec
• RFC 2401 Security Architecture for the Internet
  Protocol
• RFC 2402 IP Authentication Header
• RFC 2403 The Use of HMAC-MD5-96 within ESP and
  AH
• RFC 2404 The Use of HMAC-SHA-1-96 within ESP and
  AH
• RFC 2405 The ESP DES-CBC Cipher Algorithm With
  Explicit IV
• RFC 2406 IP Encapsulating Security Payload (ESP)
• RFC 2407 The Internet IP Security Domain of
  Interpretation for ISAKMP
• RFC 2408 Internet Security Association and Key
  Management Protocol (ISAKMP)
• RFC 2409 The Internet Key Exchange (IKE)

6
What are the differences between IPsec and
firewalls?

• Firewalls are designed to monitor incoming and
  outgoing traffic to determine whether the traffic
  is allowed. The Windows implementation of IPsec
  can also perform this function. However, IPsec
  can also ensure that the incoming and outgoing
  traffic is secure (protected with cryptography).
  For example, with the correct IPsec policy
  settings, you can require that all communications
  between domain controllers be secured.
• Another key difference between IPsec for Windows
  and firewalls is the following
• The default behavior of firewalls is to discard
  incoming or outgoing traffic unless there is an
  exception to allow it.The default behavior of
  IPsec for Windows is to allow incoming or
  outgoing traffic, unless there is an exception to
  discard or secure it.

7
What usage scenarios are currently recommended?

• The following usage scenarios are currently
  recommended
• Server and Domain Isolation Using IPsec and Group
  Policy
• Using Microsoft IPsec for Windows to Help Secure
  an Internal Corporate Network Server
• Active Directory in Networks Segmented by
  Firewalls
• Improving Security with Domain Isolation

8
Why would I use IPsec instead of Secure Sockets
Layer (SSL)?

• Because IPsec works at the IP layer of the
  Transmission Control Protocol/Internet Protocol
  (TCP/IP) protocol stack, you do not have to
  modify existing applications to use IPsec. All
  TCP/IP applications can use IPsec, whereas only
  SSL-enabled TCP/IP applications can use SSL.
  IPsec is an excellent solution to securing the
  traffic of legacy applications.
• Other points of contrast between IPsec and SSL
  are the following
• SSL was designed for client application-to-server
  application authentication and encryption. IPsec
  can be used end-to-end or for gateway-to-gateway
  scenarios.
• SSL only supports the use of digital certificates
  for authentication. The Windows implementation of
  IPsec supports the use of Kerberos, preshared
  key, and digital certificates for authentication.

9
What are the differences between using IPsec and
the Windows Firewall for blocking or permitting
traffic?

• With IPsec for Windows policy settings, you can
  block or permit incoming and outgoing traffic
  based on
• The source and destination addresses based on
  IPv4 address ranges expressed as subnets
• The IP protocol number
• The source and destination Transmission Control
  Protocol (TCP) and User Datagram Protocol (UDP)
  portsIn contrast, with Windows Firewall you can
  only specify exceptions (incoming traffic that is
  permitted) based on source IPv4 address ranges
  expressed as subnets and destination TCP and UDP
  ports.
• However, with Windows Firewall, you can do the
  following
• Specify exceptions based on program names
• Permit or block Internet Protocol version 6
  (IPv6) traffic and specify both port and
  program-based exceptions

10
What is an IPsec policy?

• An IPsec Policy is a group of settings that
  specify IPsec behavior with regard to the types
  of traffic that are permitted, blocked, or
  secured. An IPsec policy consists of
• General IPsec policy settingsSettings that apply
  regardless of which rules are configured. These
  settings determine the name of the policy, its
  description for administrative purposes, how
  often to check for policy changes, key exchange
  settings, and key exchange methods.
• IPsec policy rulesOne or more IPsec rules that
  determine which types of traffic IPsec must
  examine, how traffic is treated, how to
  authenticate an IPsec peer, and other settings
  such as the type of network connection to which
  the rule applies and whether or not to use IPsec
  tunneling
• After IPsec policies are created, an individual
  IPsec policy can be assigned (activated) at the
  domain, site, organizational unit, and local
  level.

11
What is an IPsec policy rule?

• Each IPsec rule contains the following
  configuration items
• Filter listA single filter list is selected that
  contains one or more predefined packet filters
  that describe the types of traffic to which the
  configured filter action for this rule is
  applied. The filter list is configured on the IP
  Filter List tab in the properties of an IPsec
  rule within an IPsec policy.
• Filter actionA single filter action is selected
  that includes the type of action required
  (Permit, Block, or Negotiate Security) for
  packets that match the filter list. For the
  Negotiate Security filter action, the negotiation
  data contains one or more security methods that
  are used (in order of preference) during IKE
  negotiations and other IPsec settings. Each
  security method determines the security protocol
  (such as Authentication Header AH or
  Encapsulating Security Payload ESP), the
  specific cryptographic and hashing algorithms,
  and session key regeneration settings used. The
  filter action is configured on the Filter Action
  tab in the properties of an IPsec rule within an
  IPsec policy.
• Authentication methodsOne or more authentication
  methods are configured (in order of preference)
  and used for authentication of IPsec peers during
  main mode negotiations. The available
  authentication methods are the Kerberos V5
  protocol, use of a certificate issued from a
  specified certification authority, or a preshared
  key. The authentication methods are configured on
  the Authentication Methods tab in the properties
  of an IPsec rule within an IPsec policy.
• Tunnel endpointSpecifies whether the traffic is
  tunneled and, if it is, the IP address of the
  tunnel endpoint. For outbound traffic, the tunnel
  endpoint is the IP address of the IPsec tunnel
  peer. For inbound traffic, the tunnel endpoint is
  a local IP address. The tunnel endpoint is
  configured on the Tunnel Setting tab in the
  properties of an IPsec rule within an IPsec
  policy.
• Connection typeSpecifies whether the rule
  applies to local area network (LAN) connections,
  dial-up connections, or both. The connection type
  is configured on the Connection Type tab in the
  properties of an IPsec rule within an IPsec
  policy.
• The rules for a policy are displayed in reverse
  alphabetical order based on the name of the
  filter list selected for each rule. There is no
  method for specifying an order in which to apply
  the rules in a policy. IPsec for Windows
  automatically creates an IPsec filter list and
  orders the list based on the most specific to the
  least specific filter list. For example, a filter
  that specified individual IP addresses would be
  applied before a filter that specified all
  addresses on a subnet.

12
When should the predefined policies be used?

• The predefined policies should only be used for
  testing and research purposes. You should create
  your own IPsec policy when deploying IPsec in a
  production environment.

13
What is an IP filter?

• An IP filter defines a specific set of IP
  traffic. The configuration parameters of an IP
  filter are the following
• Source address (individual address or address
  range)
• Source address mask
• Source TCP port
• Source UDP port
• Destination address (individual address or
  address range)
• Destination address mask
• Destination TCP port
• Destination UDP port
• IP protocol

14
What is an IP filter list?

• An IP filter list is a set of IP filters grouped
  together under a common name, typically for the
  purpose of applying a specific filter action.

15
What is a filter action?

• A filter action defines how IPsec will handle
  traffic. You can specify permit, block, or secure
  (known as Negotiate Security) filter actions.
  When you select the secure filter action, you
  must also specify security methods,
  authentication methods, connection type, and
  whether to use IPsec tunneling.

16
What does the "Allow unsecured communication with
non IPsec-aware computer" checkbox on the
"Security Methods" tab do?

• Specifies whether to allow unsecured
  communications with computers that cannot
  negotiate the use of IPsec or process
  IPsec-secured traffic. You can use this option to
  secure traffic with computers on your network
  that are IPsec-capable while allowing unsecured
  communications with computers on your network
  that are not IPsec-capable. However, when you
  enable this option, unsecured traffic is allowed
  when IPsec negotiations with an IPsec-capable
  computer fail.

17
What does the "Accept unsecured communication,
but always respond using IPsec" checkbox on the
"Security Methods" tab do?

• Specifies whether to accept initial unsecured
  traffic sent by another computer, but require
  secure communication when replying. This option
  is typically enabled on a policy that is assigned
  to server computers when the client computers
  have a policy assigned in which the default
  response rule is enabled. This simplifies IPsec
  deployment because the policy assigned to the
  client computers does not have to be configured
  with additional rules that initiate secured
  communication to all secured servers.

18
What does the "Session Key perfect forward
secrecy" checkbox on the "Security Methods" tab
do?

• Specifies whether you want to renegotiate new
  master key keying material each time a new
  session key is required. When session key perfect
  forward secrecy (PFS) is disabled, new session
  keys are derived from current master key keying
  material, subject to the number of times the
  master key keying material can be used to derive
  the session key. Although enabling session key
  perfect forward secrecy (PFS) provides greater
  security, performance and throughput might be
  impacted.

19
What is the Default Response rule used for?

• The default response rule, which can be used for
  all policies, has the IP filter list of ltDynamicgt
  and the filter action of Default Response when
  the list of rules is viewed with the IP Security
  Policies snap-in. The default response rule
  cannot be deleted, but it can be deactivated. It
  is activated by default for all policies.
• The default response rule is used to ensure that
  the computer responds to requests for secure
  communication. If an active policy does not have
  a rule defined for a computer that is requesting
  secure communication, then the default response
  rule is applied and security is negotiated. For
  example, when Computer A communicates securely
  with Computer B, and Computer B does not have an
  inbound filter defined for Computer A, the
  default response rule is used.
• When enabled on a client computer, the default
  response rule allows the client to start
  communicating in the clear to a server with the
  Accept unsecured communication, but always
  respond using IPsec option enabled. The server
  will respond with a negotiation request that, if
  successful, protects the rest of the traffic.
• Security methods and authentication methods can
  be configured for the default response rule. The
  filter list of ltDynamicgt indicates that the
  filter list is not configured, but that filters
  are created automatically based on the receipt of
  IKE negotiation packets. The filter action of
  Default Response indicates that the action of the
  filter (Permit, Block, or Negotiate Security)
  cannot be configured. Negotiate Security will be
  used. However, you can configure
• The security methods and their preference order
  on the Security Methods tab.
• The authentication methods and their preference
  order on the Authentication Methods tab.

20
How are IPsec policies applied in the Active
Directory directory service?

• For computers that obtain their IPsec policy
  through Active Directory-based group policy, the
  IPsec policy applied is the one assigned to the
  Group Policy object (GPO) that is closest to the
  computer in the Active Directory domain
  structure, when following the domain structure up
  to the root of the domain. For example, if a
  computer is a member of an organizational unit
  (OU), then the IPsec policy assigned to that OU's
  GPO would be the one applied. However, if the
  OU's GPO does not have an assigned IPsec policy,
  then the computer will apply the IPsec policy
  assigned to the GPO in the next OU up the Active
  Directory tree towards the root.
• The IPsec policies in different GPOs are not
  merged. Only one IPsec policy is applied, the one
  assigned with the closest GPO towards the root of
  the Active Directory tree.

21
Can I use IPsec to secure multicast or broadcast
traffic? What about blocking it?

• No. IPsec does not secure multicast or broadcast
  traffic. However, you can configure IPsec to
  block multicast or broadcast traffic.

22
How does IPsec for Windows determine filter
ordering?

• IPsec for Windows derives an IPsec filter list
  from the rules of the assigned IPsec policy. The
  IPsec filter list, which is derived from but
  different than the IP filter lists configured in
  the IPsec policy, is the end result of the policy
  configuration, specifying the exact set of
  interesting traffic and how it is to be handled.
  The IPsec filter list is ordered by a weight
  value, which is based on how specific the
  originally defined IP filter is more specific IP
  filters will produce IPsec filters with a higher
  weight value. For more information, see IPsec
  Filter Ordering.

23
What happens when filters conflict?

• Conflicting IPsec filters contain the same value
  for addressing, ports, and the IP Protocol field
  value, but have different filter actions. For
  example, one IPsec filter may permit and the
  other IPsec filter may block. When there are
  conflicting IPsec filters, the IPsec filter with
  the most restrictive filter action is added to
  the IPsec filter list. The block filter action is
  more restrictive than the secure filter action,
  which is more restrictive than the permit filter
  action.

24
Do you need to exempt DNS traffic from being
secured with IPsec?

• Yes. You should create an exemption that permits
  DNS traffic (TCP port 53 and UDP port 53).

25
Do you need to exempt NetBIOS over TCP/IP name
resolution traffic from being secured with IPsec?

• Yes. You should create an exemption that permits
  NetBIOS over TCP/IP name resolution traffic,
  commonly sent between client computers and
  Windows Internet Name Service (WINS) server
  computers (UDP port 137).

26
Do I need to configure Windows Firewall for
exceptions for IPsec traffic?

• No. IPsec for Windows automatically creates the
  exceptions for IPsec negotiation traffic (UDP
  ports 500 and 4500) when the active IPsec policy
  requires secure traffic.

27
Why does Microsoft recommend against using
preshared key authentication for IPsec?

• The use of preshared key authentication is not
  recommended because it is a relatively weak
  authentication method. Preshared key
  authentication creates a master key that is less
  secure than digital certificates or the Kerberos
  V5 protocol. In addition, preshared keys are
  stored in plaintext and can be viewed by users
  with administrator-level privileges. Preshared
  key authentication is provided for
  interoperability purposes and to adhere to IPsec
  standards. It is recommended that you use
  preshared keys only for testing and that you use
  digital certificates or Kerberos V5 instead in a
  production environment.

28
Why does IPsec use computer authentication and
not user authentication?

• IPsec is designed for computer-to-computer
  security services and is independent of the
  actual traffic being secured. User credentials
  are employed by Application layer components,
  rather than Network layer components.
  Additionally, IPsec might need to secure traffic
  before a user has logged on to the computer.

29
What certificate attributes are required for
IPsec to accept the certificate?

• IPsec requires the following attributes for
  certificates used in IPsec authentication
• Must contain an RSA public key that has a
  corresponding private key that can be used for
  RSA signatures
• Cannot be expired
• Must have been issued from a trusted root
  certification authority
• For additional information, see the "IKE Main
  Mode and Quick Mode Negotiation" section of How
  IPsec Works.

30
Is AES encryption supported?

• No. The Microsoft implementation of IPsec in
  current versions of Windows does not support the
  Advanced Encryption Standard (AES). Support for
  AES is being considered for future versions of
  Windows.

31
Why would I use 3DES over DES encryption?

• Triple Data Encryption Standard (3DES) is
  recommended because it is more secure than DES.
  Use DES when securing traffic to third-party
  IPsec peers that do not support 3DES. Windows XP,
  Windows Server 2003, and Windows 2000 (Service
  Pack 1 and higher) support 3DES.

32
Why would I use SHA1 over MD5 for hashing?

• Secure Hash Algorithm 1 (SHA1) is recommended
  because it is more secure than Message Digest 5
  (MD5). Use MD5 when securing traffic to
  third-party IPsec peers that do not support MD5.
  Windows XP, Windows Server 2003, and Windows 2000
  (Service Pack 1 and higher) support SHA1.

33
How many simultaneous IPsec connections can be
sustained on a basic server computer?

• Results vary because there are many factors
  affecting the performance of IPsec such as
  processor speed and the types of network
  adapters. In Microsoft testing, the following
  results were achieved on an Intel Pentium
  III-based computer, running at 993 MHz, and with
  384 MB of RAM
• Time between initiated negotiations (ms) Security
  associations (SAs) established (SAs/sec)
• 250 15.79762
• 200 19.27202
• 150 19.38969
• 100 17.99813
• 50 18.7118
• 0 5.49884
• The most time and processor-intensive part of an
  IPsec-secured connection is the main mode
  negotiation, from which the master key is derived.

34
What is IPsec offload? What effect does it have
on performance?

• IPsec offload is the offloading of IPsec
  cryptographic calculations to high-performance
  firmware on network adapters, rather than having
  those calculations being performed using the
  computer's processor. Some IPsec offload adapters
  can perform DES, 3DES, SHA1 HMAC, MD5 HMAC, and
  even Diffie-Hellman key determination
  calculations. Using IPsec offload adapters can
  have a significant impact on performance.

35
Can I use IPsec with network load balancing
(NLB)? Can we use IPsec with Microsoft Cluster
Server (MSCS)?

• Yes. IPsec for Windows supports NLB and MSCS
  cluster scenarios. However, IPsec sessions do not
  fail over. For more information, see IPsec is not
  designed for failover.

36
What performance counters are available?

• There are no performance counters in current
  versions of Windows to monitor IPsec-secured
  traffic.

37
What monitoring tools can I use for IPsec?

• For computers running Windows 2000, you can use
  the IP Security Monitor tool. Click Start, click
  Run, type ipsecmon.exe, and then click OK.
• For computers running Windows XP or Windows
  Server 2003, you can use the IP Security Monitor
  snap-in. For more information, see To start the
  IP Security Policy Management snap-in.
• For computers running Windows XP, you can use the
  ipseccmd \\computer show all command.
• For computers running Windows Server 2003, you
  can use the netsh ipsec static show or netsh
  ipsec dynamic show commands.

38
How can I view my current IPsec security
associations (SAs)?

• For computers running Windows 2000, you can use
  the IP Security Monitor tool. Click Start, click
  Run, type ipsecmon.exe, and then click OK SAs are
  listed in the Security Associations portion of
  the IP Security Monitor window.
• For computers running Windows XP or Windows
  Server 2003, you can use the IP Security Monitor
  snap-in. For more information, see To start the
  IP Security Policy Management snap-in.
• For computers running Windows XP, you can use the
  ipseccmd\\computershow all command.
• For computers running Windows Server 2003, you
  can use the netsh ipsec static show or netsh
  ipsec dynamic show commands.

39
How do you turn on Oakley logging? Where is the
log file stored?

• The Oakley log records all IKE (ISAKMP) main mode
  and quick mode negotiations. To enable Oakley
  logging, do the following
• For computers running Windows 2000, set the
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic
  es\PolicyAgent\Oakley\EnableLogging registry
  setting to 1. The Oakley key does not exist by
  default and must be created.
• For computers running Windows XP, use the
  ipseccmd set logike command.
• For computers running Windows Server 2003, use
  the netsh ipsec dynamic set config ikelogging 1
  command.
• The Oakley log is stored in the systemroot\Debug
  folder. A new Oakley.log file is created each
  time the IPsec Policy Agent is started and the
  previous version of the Oakley.log file is saved
  as Oakley.log.sav.

40
How do I troubleshoot communications that are
encrypted by IPsec?

• Because the IP payloads have been encrypted with
  IPsec, it is not possible to perform
  troubleshooting based on the contents of
  IPsec-protected packet payloads. For example, you
  cannot use an intermediate router or firewall to
  capture and interpret IPsec-protected packets.
  You can perform some troubleshooting based on the
  presence of encrypted packets, how many are sent,
  and when they are sent.

41
Can I use Microsoft Network Monitor to
troubleshoot IPsec traffic?

• Yes. Network Monitor is included with Microsoft
  Systems Management Server, Windows 2000 Server,
  Windows Server 2003, and features protocol
  parsers for IKE (displayed as ISAKMP), AH, and
  ESP. However, Network Monitor does not parse the
  encrypted portions of IPsec-protected traffic.

42
What settings do I need to enable IPsec event
logging?

• You can use the Windows XP Event Viewer snap-in
  to view the following IPsec-related events
• IPsec Policy Agent events in the audit log.
• IPsec driver events in the system log. To enable
  IPsec driver event logging, set the
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic
  es\ IPSEC\DiagnosticMode registry setting to 1.
  You must restart the computer for this change to
  take effect. The IPsec driver only writes events
  to the system log once an hour.
• IKE events (SA details) in the audit log. To view
  these events, enable success or failure auditing
  for the Audit logon events audit policy for your
  domain or local computer. For more information,
  see To establish an audit policy.
• IPsec policy change events in the audit log. To
  view these events, enable success or failure
  auditing for the Audit policy change audit policy
  for your domain or local computer. For more
  information, see To establish an audit policy.

43
How does IPsec work with network address
translators (NATs)?

• IPsec Network Address Translator Traversal
  (NAT-T), a new IETF standard, allows IPsec
  negotiation and encapsulation of ESP-protected
  payloads. For more information about how IPsec
  NAT-T works, see IPsec NAT Traversal Overview.
• Windows XP Service Pack 2 and Windows Server 2003
  has built-in support for IPsec NAT-T. L2TP/IPsec
  NAT-T update for Windows XP and Windows 2000, a
  free download, provides support for computers
  running Windows XP with no service packs
  installed, Windows XP with Service Pack 1, and
  Windows 2000.

44
How do I remove all local IPsec policy settings?

• You can remove static local IPsec policy settings
  with the following
• The IP Security Policies snap-in for Windows
  2000, Windows XP, or Windows Server 2003
• The Ipseccmd.exe tool for Windows XP
• Commands in the netsh ipsec static context for
  Windows Server 2003

45
What is the difference between ESP with
authentication only and AH?

• AH provides data origin authentication and data
  integrity for the entire IP packet (with the
  exception of some fields in the IP header that
  must change in transit). ESP with authentication
  only (also known as ESP null) provides data
  origin authentication and data integrity for only
  the IP payload.

46
Why would you want both AH and ESP?

• ESP provides data confidentiality, data origin
  authentication, and data integrity for the IP
  payload. ESP does not provide data origin
  authentication and data integrity for the IP
  header. If you want to protect the IP header for
  ESP-encrypted packets, you must use both AH and
  ESP. By protecting the IP header, you can detect
  and eliminate most types of network attacks that
  rely on the spoofing of IP addresses.

47
What is IPsec main mode negotiation?

• The negotiation of a secured IPsec session has
  two distinct phases main mode and quick mode.
  The main mode negotiation creates a bidirectional
  main mode SA (also known as an ISAKMP SA), which
  is a secure channel through which the quick mode
  negotiation and all future IKE traffic takes
  place.
• Main mode negotiation accomplishes the following
• Negotiates security parameters for IKE traffic.
  These include the authentication method, lifetime
  of the main mode SA, the Diffie-Hellman group to
  be used to generate a shared secret, and how the
  IKE traffic is to be protected (encryption and
  HMAC algorithms).
• Exchanges Diffie-Hellman keying material. For a
  set of publicly exchanged keys, a mutually
  determined secret key is calculated.
• Authenticates the identities of the IPsec peers
  (Kerberos, digital certificates, or preshared key)

48
What is IPsec quick mode negotiation?

• IPsec quick mode negotiation creates the
  unidirectional quick mode SAs (also known as
  IPsec SAs), to secure data traffic. During
  negotiation, the IPsec peers determine the
  specific encryption algorithm, hashing
  algorithms, the use of ESP or AH (or both),
  whether to use transport or tunnel, and a
  description of the traffic to protect. All quick
  mode negotiation messages are protected with the
  main mode SA previously established. Each
  successful quick mode negotiation establishes two
  IPsec SAs. One SA is for inbound traffic and the
  other is for outbound traffic.

49
What are IKE, Oakley, and ISAKMP and how do they
relate?

• Internet Key Exchange (IKE) is used to
  dynamically establish SAs between IPsec peers.
  IKE is a hybrid of 3 protocols that is based on a
  framework defined by the Internet Security
  Association and Key Management Protocol (ISAKMP)
  and implements parts of two key management
  protocols Oakley and SKEME.
• IKE uses ISAKMP to define how two peers
  communicate, including the packet formats,
  retransmission timers, and message construction
  requirements. IKE uses both Oakley and SKEME to
  provide the mechanism and management of key
  exchanges.

50
What is IPsec transport mode?

• IPsec transport mode provides the protection of
  an IP payload through an AH or ESP header.
  Typical IP payloads are TCP segments (containing
  a TCP header and TCP segment data), a UDP message
  (containing a UDP header and UDP message data),
  and an ICMP message (containing an ICMP header
  and ICMP message data).

51
What is IPsec tunnel mode?

• IPsec Tunnel mode provides the protection of an
  entire IP packet by treating it as an AH or ESP
  payload. With tunnel mode, an entire IP packet is
  encapsulated with an AH or ESP header and an
  additional IP header. The IP addresses of the
  outer IP header are the tunnel endpoints, and the
  IP addresses of the encapsulated IP header are
  the ultimate source and destination addresses.

52
How do I configure a router-based firewall to
allow IPsec for Windows traffic?

• Configure your router-based firewall to allow the
  following
• UDP port 500 (IKE traffic)
• UDP port 4500 (IPsec NAT-T traffic)
• IP protocol 50 (ESP-protected traffic)
• IP protocol 51 (AH-protected traffic)

53
What are the IPsec registry keys?

• The main IPsec policy and configuration details
  are stored under HKEY_LOCAL_COMPUTER\SOFTWARE\Poli
  cies\Microsoft\windows\IPsec. For information
  about IPsec registry keys, see IPsec Tools and
  Settings.

54
Is there a trusted man-in-the-middle attack
against IPsec?

• IPsec is vulnerable to a trusted
  man-in-the-middle attack if someone gains access
  to the private information that the IPsec peers
  use to authenticate each other. The risk of this
  attack is higher if preshared keys are used as
  the authentication method. For this reason,
  Microsoft recommends that preshared keys be used
  only in test environments. If certificates are
  used as the authentication method, the risk of a
  man-in-the-middle attacked is significantly
  reduced.

55
What is the idle timeout for quick mode SAs?

• If a quick mode SA is not used to secure traffic
  for a specific period of time, it is removed and
  a new SA is negotiated. This timeout period is 5
  minutes.

56
When IPsec peers are separated by a NAT, will
IPsec negotiation happen over UDP port 4500 or
UDP port 500?

• When peers negotiate a main mode SA across a NAT,
  only the initial IKE message from the initiating
  IPsec peer uses UPD port 500. All other IKE
  traffic is sent over UDP port 4500.

57
When IPsec peers are separated by a NAT, will
IPsec negotiation happen over UDP port 4500 or
UDP port 500?

• When peers negotiate a main mode SA across a NAT,
  only the initial IKE message from the initiating
  IPsec peer uses UPD port 500. All other IKE
  traffic is sent over UDP port 4500.

58
How does the faster failover for IPsec with
Network Load Balancing (NLB) and Microsoft
Cluster Server (MSCS) work?

• For computers running Windows Server 2003, the
  IKE component has the ability to detect if a peer
  is a member node of a cluster. If so, IKE changes
  the default quick mode SA timeout from 5 minutes
  to 1 minute. If the current cluster node fails,
  any SAs established to the failed node will
  timeout after 1 minute and IKE will re-establish
  an IPsec-secured session with a new cluster node.

59
How does IKE in IPsec for Windows behave in an
IKE-based denial of service attack?

• IKE limits the number of outstanding main mode
  negotiations and the number of established main
  mode negotiations. If there is an established
  main mode SA, IKE limits the outstanding main
  mode SAs to 5 per IP address/port pair. If there
  is no established main mode SA, IKE limits the
  outstanding main mode SAs to 35 per IP address.
  If this limit is hit, IKE will drop all initial
  negotiation messages from that peer until an
  outstanding SA for that peer has failed, timed
  out, or been established.