Use this dialog box to configure the Internet Protocol security (IPsec) main mode key exchange and quick mode data protection settings used for all IPsec negotiations. You can also configure the default authentication settings used whenever a connection security rule uses the Default settings.

Important
  • If you are configuring Windows Firewall with Advanced Security on the local computer and you select Default for any of the settings, any Group Policy objects (GPOs) that apply to this computer can specify the settings.
  • If you are configuring a GPO and you select Default for any of the settings, any GPOs of higher precedence that apply to this computer can specify the settings.
To get to this dialog box
  1. In the Windows Firewall with Advanced Security MMC snap-in, in Overview, click Windows Firewall Properties.

  2. Click the IPsec Settings tab.

  3. Under IPsec defaults, click Customize.

Key exchange (Main Mode)

Key exchange settings you select here apply to all connection security rules. To ensure successful and secure communication, IPsec performs a two-phase operation to establish a secured connection between the two computers. Confidentiality and authentication are ensured during each phase by the use of integrity, encryption, and authentication algorithms that are agreed upon by the two computers during security negotiations. With the duties split between two phases, key creation can be accomplished quickly.

During the first phase, the two computers establish a secure, authenticated channel, called the main mode security association (SA). The main mode SA is then used during the second phase to allow secure negotiation of the quick mode SA. The quick mode SA specifies the protection settings for matching TCP/IP data transferred between the two computers.

Default

Select this option to use the key exchange settings that are installed by default or configured as defaults through Group Policy. This setting is used for all key exchanges. For more information, see Default Settings for Windows Firewall with Advanced Security.

Advanced

Select this option to specify the key exchange settings that are applied to all key exchanges. This setting overrides the installed defaults. After selecting this option, click Customize and use the Customize Advanced Key Exchange Settings dialog box to select the settings to use.

Data protection (Quick Mode)

Data protection settings you select here apply to all connection security rules created using the Windows Firewall with Advanced Security MMC snap-in. If you need to create a connection security rule with custom data protection settings, then you must create the rule by using the netsh advfirewall consec context. For more information, see Netsh Commands for Windows Firewall with Advanced Security (https://go.microsoft.com/fwlink/?linkid=111237).

Default

Select this option to use the data integrity and encryption settings that are installed by default or configured as defaults through Group Policy. For more information, see Default Settings for Windows Firewall with Advanced Security.

Advanced

Use this option to specify data integrity and encryption settings that are available for negotiating the quick mode SA. This setting overrides the installed defaults. After selecting this option, click Customize and use the Customize Data Protection Settings dialog box to select the data protection settings to use.

Authentication method

Authentication method settings you select here apply only to connection security rules that have Default selected as the authentication method.

Default

Select this option to use the authentication settings that are installed by default or configured as defaults by using Group Policy. For more information, see Default Settings for Windows Firewall with Advanced Security.

Computer and User (Kerberos V5)

Select this option to use both computer and user authentication with the Kerberos version 5 protocol. The use of this option is equivalent to selecting Advanced, choosing Computer (Kerberos V5) for first authentication and User (Kerberos V5) for second authentication, and then clearing both First authentication is optional and Second authentication is optional.

Computer (Kerberos V5)

Select this option to use computer authentication with the Kerberos version 5 protocol. The use of this option is equivalent to selecting Advanced, choosing Computer (Kerberos V5) for first authentication, and then selecting Second authentication is optional.

User (Kerberos V5)

Select this option to use user authentication with the Kerberos version 5 protocol. The use of this option is equivalent to selecting Advanced, choosing User (Kerberos V5) for second authentication, and then selecting First authentication is optional.

Advanced

You can use this option to create a method that is specific to your needs. If you select this option, you must click Customize to use the Customize Advanced Authentication Methods dialog box to specify the authentication methods to use.

See Also


Table Of Contents