Information Technology Reference
In-Depth Information
9.
To configure IPSec to generate a new master key whenever a new session key is needed,
place a check mark next to Use Session Key Perfect Forward Secrecy (PFS).
10.
Click OK to save the filter action settings.
Using a Command-Line Interface
The following command creates a filter action called Blocker that will drop any traffic that
meets the criteria specified by a filter list:
> netsh ipsec static add filteraction name = "Blocker"
description = "Blocks all traffic" action = block
The following command creates a filter action called Fall Back to Clear that will secure
traffic whenever possible, but will accept unsecured communication if necessary:
> netsh ipsec static add filteraction name = "Fall Back to Clear"
action = negotiate soft = yes
The following command deletes the filter action called Blocker:
> netsh ipsec static delete filteraction name = "Blocker"
How It Works
Once an IPSec rule encounters traffic that meets the criteria of a particular filter within a filter
list, the rule will check its configured filter action to determine what to do with the traffic in
question. The following default filter actions are available in Windows Server 2003:
Permit, which permits all traffic
Request Security (Optional), which attempts to secure all traffic while still accepting
traffic unsecured traffic
Require Security, which will not communicate with untrusted computers
The only required configuration item for a new filter action is its name. But to make the
filter list more functional, you can use the following optional parameters to configure the filter
action at the command line:
description =
: Configures the filter action description string.
qmpfs =[yes | no]
: Dictates whether session key perfect forward secrecy is enabled. If you
do not specify this option, it defaults to
no
.
inpass = [yes | no]
: Configures the computer to accept incoming traffic that is unsecured,
but to reply using IPSec-secured communications.
soft = [yes | no]
: Configures the computer to fall back to unsecured communications
when communicating with a device that doesn't support IPSec.
action = [permit | block | negotiate]
: Configures the filter action.
qmsecmethods =
: Configures the security method to be used by the negotiate filter action
(see Recipe 7-6).
