Microsoft KB Archive/942964

= How the default response rule for IPsec policies functions in Windows Vista and in Windows Server 2008 Beta 3 =

Article ID: 942964

Article Last Modified on 11/12/2007

-

APPLIES TO


 * Microsoft Windows Code Name “Longhorn”
 * Windows Vista Ultimate
 * Windows Vista Enterprise
 * Windows Vista Business
 * Windows Vista Home Premium
 * Windows Vista Home Basic
 * Windows Vista Starter
 * Windows Vista Ultimate 64-bit Edition
 * Windows Vista Enterprise 64-bit Edition
 * Windows Vista Business 64-bit Edition
 * Windows Vista Home Premium 64-bit Edition
 * Windows Vista Home Basic 64-bit Edition

-





Beta Information
This article discusses a beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this beta product. For information about how to obtain support for a beta release, see the documentation that is included with the beta product files, or check the Web location where you downloaded the release.



INTRODUCTION
This article describes how the default response rule for Internet Protocol security (IPsec) policies functions in Windows Vista and in Windows Server 2008 Beta 3. It also describes how to create a replacement rule for the default response rule in Windows Vista and in Windows Server 2008 Beta 3.



MORE INFORMATION
The default response rule is applied on remote computers that request an IPsec connection when no other rules are available in an IPsec policy. To communicate over an encrypted channel, the computer must respond to requests to establish an encrypted channel. The default response rule is enabled automatically when you create an IPsec policy in versions of Windows that are earlier than Windows Vista and Windows Server 2008 Beta 3. By default, the default response rule is not enabled when you create an IPsec policy in Windows Vista or in Windows Server 2008 Beta 3.

You can use the IP Security Policy Management snap-in or the netsh ipsec command to configure the default response rule when you create or modify an IPsec policy in Windows Vista or in Windows Server 2008 Beta 3. Even though you can configure the default response rule for an IPsec policy in Windows Vista or in Windows Server 2008 Beta 3, the rule is invalid when you apply an IPsec policy on a Windows Vista-based computer or on a Windows Server 2008 Beta 3-based computer. The rule is valid only when you apply the default response rule in earlier versions of Windows. Also, you cannot use the netsh ipsec command in Windows Vista or in Windows Server 2008 Beta 3 to modify the default response rule for an IPsec policy that is applied on a Windows Vista-based computer. However, you can modify the default response rule for clients that run versions of Windows that are earlier than Windows Vista. If an IPsec policy that contains the default response rule is assigned to a Windows Vista-based computer, the policy is not applied. Also, the following event is logged in the Security log: Event ID: 5461

Source: Security Auditing

Type: Audit Failure

Message: PAStore Engine failed to apply local registry storage IPsec policy on the computer.

Policy:

Error Code:. The parameter is incorrect

Instead of the default policy rule, you can create a rule for a policy that enables the Windows Vista-based computer or the Windows Server 2008 Beta 3-based computer to apply the rule on Windows Vista-based clients that request IPsec communication. The default response rule responds only to client requests. However, the rule that you create can respond to all kinds of requests. This rule also establishes communication over an encrypted channel with the client. If communication over an encrypted channel cannot be established during IPsec negotiations, the communication will continue in clear text over the network. This communication will not be dropped.

To create a new rule for an IPsec policy in Windows Vista or in Windows Server 2008 Beta 3, follow these steps:  Use the IP Security Policy Management snap-in to modify the IPsec policy. To do this, follow these steps:  Use the appropriate method:  In Windows Server 2008 Beta 3, click Start, click Run, type mmc in the Open box, and then click OK. In Windows Vista, click Start, type mmc in the Start Search box, and then press ENTER.  On the File menu, click Add/Remove Snap-in. The Add or Remove Snap-in dialog box opens.</li> In the Available snap-ins list, click IP Security Policy Management, and then click Add.</li> In the Select Computer or Domain dialog box, click Finish.</li> Click OK to close the Add or Remove Snap-in dialog box.</li> In the task pane, click IP Security Policies on Local Computer.</li> In the details pane, right-click the policy for which you want to create a new rule, and then click Properties.</li> Click Add to add a new rule to the policy.</li></ol> </li> Configure the tunneling properties and the network-type properties for the new rule. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the Welcome page of the Security Rule Wizard, click Next.</li> On the Tunnel Endpoint page, make sure that the This rule does not specify a tunnel option is enabled, and then click Next.</li> On the Network Type page, make sure that the All network connections option is enabled, and then click Next.</li></ol> </li> Create a new IP filter list, and then configure the filter-list properties. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> On the IP Filter List page, click Add. The IP Filter List dialog box opens.</li> In the Name box, type All IP Traffic, and then click Add.</li> On the Welcome page of the IP Filter Wizard, click Next.</li> On the &quot;IP Filter Description and Mirrored property&quot; page, add a description for the IP filter, and then click Next.</li> On the IP Traffic Source page, make sure that Any IP Address is selected in the Source address list, and then click Next.</li> <li>On the IP Traffic Destination page, make sure that Any IP Address is selected in the Destination address list, and then click Next.</li> <li>On the IP Protocol Type page, make sure that Any is selected in the Select a protocol type list, and then click Next.</li> <li>On the &quot;Completing the IP Filter Wizard&quot; page, click Finish.</li> <li>Click OK to save the new filter list and to close the IP Filter List dialog box.</li></ol> </li> <li>Create a new filter action, and then configure the filter-action properties. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>On the IP Filter List page, click the IP filter list that you created, and then click Next.</li> <li>On the Filter Action page, click Add to create a new filter action.</li> <li>On the Welcome page of the Filter Action Wizard, click Next.</li> <li>On the Filter Action Name page, type Always negotiate security in the Name box, and then click Next.</li> <li>On the Filter Actions General Options page, make sure that the Negotiate security option is enabled, and then click Next.</li> <li>On the &quot;Communicating with computers that do not support IPsec&quot; page, click Allow unsecured communication if a secure connection cannot be established, and then click Next.</li> <li>On the IP Traffic Security page, select the security method that you want to use, and then click Next.</li> <li>On the &quot;Completing the IP Security Filter Action Wizard&quot; page, click Finish.</li> <li>On the Filter Action page, select the filter action that you created, and then click Edit. The New Filter Action Properties dialog box opens.</li> <li>On the Security Methods tab, click to select the Accept unsecured communication, but always respond using IPsec check box, and then click OK.</li> <li>On the Filter Action page, click Next.</li></ol> </li> <li>On the Authentication Method page, specify the authentication method that you want to use, and then click Next.</li> <li>On the &quot;Completing the Security Rule Wizard&quot; page, click Finish.</li> <li>Click OK to close the IPsec policy properties dialog box.</li></ol>

Keywords: kbhowto kbinfo kbexpertiseinter KB942964

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.