Information Technology Reference
In-Depth Information
How It Works
If there is a disadvantage to using IPSec, it is that the addition of integrity and encryption to
each network packet can increase the processor usage on an IPSec-enabled computer. You can
combat this by using network adapters that are capable of performing some of the “heavy
lifting” involved with IPSec on the NIC itself (similar to the SSL acceleration feature available
on other cards), rather than shunting the work off to the processor of the local computer. This
feature is known as
hardware acceleration
, and consists of a few components:
Offloading the calculation of IPSec cryptographic functions (
IPSec offload
)
Calculating TCP checksums (
checksum offload
)
Processing large TCP segments for very fast transmission (
large-send offload
)
If a Plug-and-Play NIC is capable of performing hardware offload, the card's driver will
advertise this capability to TCP/IP and IPSec when its driver initializes. TCP/IP and IPSec will
then automatically offload tasks to the NIC as needed.
For the most part, hardware acceleration is a useful process that does not require admin-
istrative intervention. However, if you are having network communication difficulties, you
may wish to temporarily disable this feature to eliminate it as a source of the trouble. You can
disable TCP/IP and IPSec hardware acceleration, IPSec hardware acceleration only, or all
hardware offload functions enabled by the NIC driver. In the latter two cases, you'll need to
reboot the target computer for the change to take effect. (You can disable TCP/IP and IPSec
hardware acceleration without a reboot.)
See Also
Microsoft TechNet: “IPSec Troubleshooting Tools” (
http://www.microsoft.com/
technet/prodtechnol/windowsserver2003/library/ServerHelp/
ebcbc96d-b236-401d-a98b-91c965a3d18f.mspx
)
Microsoft TechNet: “How IPSec Works” (
http://www.microsoft.com/
technet/prodtechnol/windowsserver2003/library/TechRef/
8fbd7659-ca23-4320-a350-6890049086bc.mspx
)
7-19. Restoring the Default IPSec Configuration
Problem
You want to restore the IPSec configuration of a Windows Server 2003 computer to the
default values.
Solution
The following command restores the Windows Server 2003 policy examples for the local
computer:
> netsh ipsec static restorepolicyexamples release = Win2003
