Except in the case of a block or allow rule, an IP filter list triggers security negotiations based on a match with the source, destination, and type of IP traffic. This type of IP packet filtering enables an administrator to precisely define which IP traffic is secured. Each IP filter list contains one or more filters, which define IP addresses and traffic types. One IP filter list can be used for multiple communication scenarios.
IPsec requires both an inbound filter and outbound filter between the computers specified in the filter list, except for Block or Permit rules. Inbound filters apply to incoming traffic and enable the receiving computer to respond to requests for secure communication or match traffic against the IP filter list. Outbound filters apply to traffic leaving a computer and conduct a security negotiation before traffic is sent.
By using the Mirrored check box, you automatically create two filters based on the filter settings: one for traffic to the destination and one for traffic from the destination. This allows two-way communications with other computers.
Filter list settings
Filter lists (and filter actions) can be defined when you create a policy or before you create a policy. Filter lists are available to any policy. To define a filter list, right-click the IP Security Policy node and select Manage IP filter lists and filter actions.
Each filter defines a subset of inbound or outbound network traffic that the filter action acts on by either securing traffic (using authentication, data integrity, or data encryption), blocking entirely, or allowing (without using authentication, data integrity, or data encryption). You must have a filter to cover any traffic to which the associated rule applies. A filter contains the following settings:
- The source and destination addresses of the IP packet. You can configure any IP address assigned to the IPsec peer, a single IP address, IP addresses by DNS name, or groups of addresses to specify IP subnets.
- The protocol used to transfer the packet. This automatically covers all protocols in the TCP/IP protocol suite. However, it can be configured for an individual protocol, including a custom protocol, to meet special requirements.
- The source and destination ports of the protocol for TCP and UDP. By default, all TCP and UDP ports are covered, but this can be configured to apply to a specific TCP or UDP port only.
Important | |
DNS name resolution occurs only when the filter list is created and is not updated afterwards. So, if the IP address changes, the policy will not be updated. To update the IP address, you must edit the policy. |
To create a filter list using the New Rule Properties dialog box |
In the IP Security Policy Properties dialog, select the correct IP Security rule and click Edit or you can create a new rule by clicking Add.
On the IP Filter List tab, clear the Use Add Wizard check box if you want to create the filter list in the property dialog box. If you want to use the wizard, leave the check box selected. Click Add. The following instructions are for creating a filter list using the dialog box.
On the Addresses tab of the IP Filter Properties dialog box, select a source (local) IP address and a destination (that is, an IPsec peer) IP address.
On the Protocol tab, select the protocol type that the filter will match.
(Optional) On the Description tab, type a description of the filter. This description can help you sort through filters and allows you to quickly identify the filter without having to open its properties.
Click OK.
Repeat steps 4 through 8 to add additional filters to the list.
In the IP Filter List dialog box, type a descriptive name for the filter list. Click OK to add the filter list to the rule.
In the New Rule Properties dialog box, select the filter list.
To create a filter list using the Manage filter lists and filter actions dialog box |
Right-click the IP Security Policy node and select Manage IP filter lists and filter actions.
On the Manage IP Filter Lists tab, click Add.
In the IP Filter List dialog box, clear the Use Add Wizard check box if you want to create the filter list in the property dialog box. If you want to use the wizard, leave the check box selected. Click Add. The following instructions are for creating a filter list using the dialog box.
On the Addresses tab of the IP Filter Properties dialog box, select a source (local) IP address and a destination (that is, an IPsec peer) IP address.
On the Protocol tab, select the protocol type that the filter will match.
(Optional) On the Description tab, type a description of the filter. This description can help you sort through filters and allows you to quickly identify the filter without having to open its properties.
Click OK.
Repeat steps 4 through 8 to add additional filters to the list.
In the IP Filter List dialog box, type a descriptive name for the filter list. Click OK to add the filter list to the rule.