Information Technology Reference
In-Depth Information
You can also configure ESP to encrypt and authenticate the payload. Like AH, ESP can use
SHA1 or MD5 as its integrity algorithm, and it will also use either Data Encryption Standard
(DES) or Triple DES (3DES) as an encryption algorithm. The difference between AH and ESP is
that AH will ensure the integrity of the entire packet for transmission, including its headers.
ESP will protect only the integrity of the ESP headers and the packet payload; the rest of the
headers remain unprotected.
Using the Command-Line Interface
Using the command-line interface, the qmsecmethods = switch requires a seemingly daunting
syntax to add custom security methods, but it's quite logical once you break it into its compo-
nent parts. To create a custom security method, you use one of the following three string formats:
ESP[ ConfAlg , AuthAlg ]: k / s : Specifies an ESP encryption and integrity algorithm, but no
AH integrity algorithm. ConfAlg refers to the ESP encryption algorithm, and can be either
DES or 3DES . AuthAlg refers to the ESP integrity algorithm, and can be either MD5 or SHA1 . k
refers to the kilobytes that corresponds to the Generate a New Key Every XXX Kilobytes
Setting, and s refers to the number of seconds that correspond to the Generate a New Key
Every XXX Seconds setting.
AH[ HashAlg ]: k / s : Specifies an AH integrity algorithm, but no ESP settings. HashAlg refers
to the AH integrity algorithm, and can be either MD5 or SHA1 . k refers to the kilobytes that
correspond to the Generate a New Key Every XXX Kilobytes setting, and s refers to the
number of seconds that correspond to the Generate a New Key Every XXX Seconds setting.
AH[ HashAlg + ESPConfAlg , AuthAlg ]: k / s : Specifies both an AH and ESP configuration.
HashAlg refers to the AH integrity algorithm, and can be either MD5 or SHA1 . ConfAlg refers
to the ESP encryption algorithm, and can be either DES or 3DES . AuthAlg refers to the ESP
integrity algorithm, and can be either MD5 or SHA1 . k refers to the kilobytes that corresponds
to the Generate a New Key Every XXX Kilobytes Setting, and s refers to the number of
seconds that correspond to the Generate a New Key Every XXX Seconds setting.
You can specify multiple security methods in one command by separating them with
spaces. Here is an example:
> netsh ipsec static add filteraction name = "Custom Security" action = negotiate
qmsecmethods = ESP[3DES,SHA1] AH[MD5+ESP3DES,SHA1]
See Also
Microsoft TechNet: “Security Information for IPSec” ( http://www.microsoft.com/
technet/prodtechnol/windowsserver2003/library/ServerHelp/
e9ee44d6-4ac8-4626-8012-7b46a4258c05.mspx )
￿
Microsoft TechNet: “IPSec Architecture” ( http://www.microsoft.com/technet/
itsolutions/network/security/ipsecarc.mspx )
￿
Search WWH ::




Custom Search