Information Technology Reference
In-Depth Information
Solution
Using a Command-Line Interface
The following command will configure IPSec to ignore multicast, broadcast, and Internet
Security Association and Key Management Protocol (ISAKMP) traffic, but to continue to
process Kerberos and Resource Reservation Protocol (RSVP) traffic:
> netsh ipsec dynamic set config ipsecexempt value = 1
■
Note
You must reboot the computer for this change to take effect.
Using the Registry
To configure a computer to hold only ISAKMP exempt from IPSec filtering, create the following
Registry value and reboot the computer:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec\]
"NoDefaultExempt"=dword:3
Using VBScript
The following script exempts multicast, broadcast, RSVP, Kerberos, and ISAKMP traffic from
IPSec filtering:
' This code specifies that multicast, broadcast, RSVP, Kerberos,
' and ISAKMP traffic are exempt from IPSec filtering
' (This is the default configuration of Windows 2000 and Windows XP)
' ------ SCRIPT CONFIGURATION ------
const HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
exemptions = 3 ' Can be set to 0, 1, 2, or 3. See How It Works for
' an explanation of each setting
' ------ END CONFIGURATION ---------
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
KeyPath = "SYSTEM\CurrentControlSet\Services\IPSec"
dwValue = NoDefaultExempt
oReg.SetDWORDValue HKEY_LOCAL_MACHINE,KeyPath,exemptions,dwValue
