IPSec is controlled on Windows 2000-based system via security policies. Again, these can be configured either locally or via group policy (recommended). At any given time, only one IPSec policy can be assigned to a system. Although you can create custom IPSec policies, three are provided by default and you should be aware of their purposes:
Client (Respond Only) – When this policy is assigned, a client will never initiate a secure connection with a server, but will use IPSec if requested to do so by a server.
Secure Server (Require Security) – When this policy is assigned, a server will drop any request that is made to it that does not use IPSec.
Server (Request Security) – When this policy is assigned, a server will request that a client has made an unsecured connection use IPSec. If the client is not capable (for example a Windows 98 system), the server will allow the connection to proceed, without requiring IPSec to be used.
Note that none of the default policies if assigned by default, and that right clicking and choosing ‘Create IP Security Policy’ can create customized policies. The IP Security policy wizard will walk you though the steps of creating a custom policy, but you must be aware of the filters you are going to configure, including which port numbers are used by applications and so forth. Note also that Windows 2000 provides an application for troubleshooting and monitoring IPSec-based communications, The IP Security Monitor.