Information Technology Reference
In-Depth Information
7-7. Managing Key Exchange Settings
Problem
You want to configure key exchange settings for an IPSec policy, to define how cryptographic
keys are handled during IPSec communications.
Solution
Using a Graphical User Interface
1.
Open the Group Policy Management Console or the IP Security Policy Management
MMC snap-in.
2.
Navigate to Computer Configuration\Windows Settings\IP Security Settings.
3.
Right-click the policy for which you want to configure key exchange settings and
select Properties.
4.
On the General tab, click Settings under the Perform Key Exchange Using Additional
Settings section.
5.
Place a check mark next to Master Key Perfect Forward Secrecy (PFS) to force IPSec to
generate a new master key whenever it creates a new session.
6.
To change the default values that define how often IPSec generates a new key, place a
new value in one or both of the following text boxes:
Authenticate and generate a new key after every
XXX
minutes
Authenticate and generate a new key after every
XXX
sessions
7.
To customize the security methods used by IPSec for key exchange, click the Methods
button to create new security methods or modify existing methods. Click Add to create
a new Internet Key Exchange method. You'll need to configure the following three settings:
Integrity Algorithm:
Choose from MD5 or SHA1
Encryption Algorithm:
Select DES or 3DES
Diffie-Hellman Group:
Select Low (1), Medium (2), or High (2048)
8.
Click OK to save your settings.
Using a Command-Line Interface
The following command creates an IPSec policy called Custom Security Policy that uses master
key perfect forward secrecy:
> netsh ipsec static add policy name = "Custom Security Policy" mmpfs = yes
