Implementing IPSec

The three policies provided are simply a starting point, since you will likely need something a little more granular that meets your specific needs. To create a new IPSec policy, right-click and choose ‘Create IP Security Policy’.

Doing so will open the IPSec Security Policy wizard, which will walk you through the policy creation process step-by-step. The first step is giving the policy a name, and an associated description. I would strongly recommend a name that will be descriptive enough to explain what the policy is used for.

The Request for Secure communication screen comes next. This allows you to control how this policy will respond when other servers on the network request secured communication.

The next step is configuring the default authentication mechanism to be used. In Active Directory environments, Kerberos is probably the easiest choice, although the use of certificates or a pre-shared key are possible given that you may want to configure connections with systems that only support these methods. For the purpose of simplicity, I’ll choose the pre-shared key.

The last screen that appears is actually a little confusing. While you have now created a new policy, you still need to edit its properties. If you choose to uncheck the box below, you can always still configure policy settings later by right clicking on a policy in Group Policy and choosing Properties.

If you choose to edit properties of the policy, you will be presented with the property screen shown below.

Note that by default, the only security rule that exists is the Default Response rule that we chose to allow in the previous wizard. This rule can be edited, or we can add and remove rules from this screen. We’ll add a new rule in a moment, but first take a look at the Advanced button from the General tab.

The first setting, Master key Perfect Forward Secrecy, is used if you want to ensure that the same keying material or previous keys are ever used again in selecting a master key. The other settings configure how often new keys should be generated in minutes and seconds, while the Methods button allows you to configure the integrity and encryption mechanisms used during exchanges (such as SHA or MD5 for integrity, and DES or 3DES for encryption).

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.