Information Technology Reference
In-Depth Information
9.
If you selected a Custom method in the previous step, you'll see the Custom Security
Methods Settings screen. From here, configure the following settings:
To enable AH, place a check mark next to Data and Address Integrity Without Encryp-
tion (AH). Choose MD5 or SHA1 in the Integrity algorithm drop-down box.
To enable ESP, place a check mark next to Data Integrity and Encryption (ESP).
Choose MD5 or SHA1 in the Integrity algorithm drop-down box, and DES or 3DES
in the Encryption algorithm drop-down box.
In the Session key settings section, place a check mark next to either or both of the
options: Generate a New Key Every
XXX
Kilobytes and Generate a New Key Every
XXX
Seconds.
10.
Click OK to create the new security method.
11.
Use the Move Up or Move Down buttons to change the order in which the security
methods are attempted. IPSec will try to negotiate security using each defined method,
starting at the top of the list and working to the bottom, until IPSec is able to success-
fully negotiate security.
■
Note
Click Edit or Remove to modify or delete a security method that has already been defined.
12.
Click OK to save your settings.
Using a Command-Line Interface
The following command creates an IPSec filter action called Custom Security that uses MD5
for ESP integrity and 3DES for ESP encryption:
> netsh ipsec static add filteraction name = "Custom Security" action = negotiate
qmsecmethods = ESP[3DES,MD5]
How It Works
IPSec is composed of two separate protocols: the IPSec Authentication Header (AH) protocol,
and the IPSec Encapsulating Security Payload (ESP) protocol. AH is used to provide authenti-
cation between hosts that are communicating with IPSec. ESP is used to provide encryption in
addition to authentication.
Configuring AH and ESP
When you configure IPSec to secure information using AH, IPSec will create an
integrity check
value
(ICV) on each packet before it is transmitted. The receiving computer can use this ICV to
ensure that the packet has not been tampered with during transmission. (This ensures the
integrity of the data being transmitted.) You can use one of two protocols to generate this ICV:
Secure Hash Algorithm (SHA1) or Message Digest algorithm 5 (MD5).
