Information Technology Reference
In-Depth Information
How It Works
The IPSec filter is probably the most important component of an IPSec policy, since configuring
filters correctly will mean the difference between a correctly functioning policy and one that
can cripple the functionality of a network.
Configuring IPSec Filters
IPSec filters consist of the following configuration information:
A source address (this can consist of a subnet or all IP addresses, as well as just a single
IP address)
A source port
A destination address (this can consist of a subnet or all IP addresses, as well as just a
single IP address)
A destination port
To ease administration, you should configure IPSec filters to indicate the largest group of
addresses to which they are applicable. For example, if you need to configure security for an
entire network, create a filter that consists of the entire IP subnet rather than individual filters
for each IP. This will allow you to add new devices to a subnet without needing to create a new
filter each time.
Using the Command-Line Interface
Using the command-line interface, the
netsh ipsec static delete filter
command requires
the following three parameters:
filterlist
srcaddr
dstaddr
If you specify only the required parameters, and more than one filter meets those criteria,
the
delete filter
command will delete
all
filters that meet those criteria. This is because IPSec
filters, unlike filter lists, are not configured with easily identifiable name strings. You can specify
one or more optional criteria to specify a particular filter more precisely.
See Also
Recipe 7-3 for configuring IPSec filter lists
Microsoft TechNet: “Add, Edit, or Remove IPSec Filters” (
http://www.microsoft.com/
technet/prodtechnol/windowsserver2003/library/ServerHelp/
207e34c8-f715-4aa8-8f26-e06bd1eca808.mspx
)
