Windows 7 / Networking

---

Supported IPsec Settings for Connection Security Rules

Connection security rules use IPsec to protect traffic between the local computer and other computers on the network. IPsec is an industry-standard set of protocols for protecting communications over IP networks using cryptographic security services. IPsec can provide network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection to ensure the security of traffic as it passes across a network. For general information concerning IPsec concepts and how IPsec can be used to protect a network, see the resources available at http://www.microsoft.com/IPsec/.

The range of IPsec features supported previously in the Windows Vista RTM has been expanded, first in Windows Vista SP1 and later versions in Windows 7 to include new security methods, data integrity algorithms, data encryption algorithms, and authentication protocols. Tables below summarize the key exchange algorithms, data protection (integrity or encryption) algorithms, and authentication methods now supported for IPsec communications in Windows 7. Note that some algorithms are supported only for main mode or quick mode, and different authentication methods are supported for first and second authentication.

Supported Key Exchange Algorithms for IPsec Communications in Windows 7

Key Exchange Algorithm	Notes
Diffie-Hellman Group 1 (DH Group 1)	Not recommended. Provided for backward compatibility only.
DH Group 2	Stronger than DH Group 1.
DH Group 14	Stronger than DH Group 2.
Elliptic Curve Diffie-Hellman P-256	Stronger than DH Group 2. Medium resource usage. Compatible only with Windows Vista and later versions.
Elliptic Curve Diffie-Hellman P-384	Strongest security. Highest resource usage. Compatible only with Windows Vista and later versions.

Supported Data Integrity Algorithms for IPsec Communications in Windows 7

Data Integrity Algorithm	Notes
Message-Digest algorithm 5 (MD5)	Not recommended. Provided for backward compatibility only.
Secure Hash Algorithm 1 (SHA-1)	Stronger than MD5 but uses more resources.
SHA 256-bit (SHA-256)	Main mode only. Supported on Windows Vista SP1 and later versions.
SHA-384	Main mode only. Supported on Windows Vista SP1 and later versions.
Advanced Encryption Standard-Galois Message Authentication Code 128 bit (AES-GMAC 128)	Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GCM 128 for integrity.
AES-GMAC 192	Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GCM 192 for integrity.
AES-GMAC 256	Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GCM 256 for integrity.
AES-GCM 128	Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GMAC 128 for integrity.
AES-GCM 192	Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GMAC 192 for integrity.
AES-GCM 256	Quick mode only. Supported on Windows Vista SP1 and later versions. Equivalent to AES-GMAC 256 for integrity.

Supported Data Encryption Algorithms for IPsec Communications in Windows 7

Data Encryption Algorithm	Notes
Data Encryption Standard (DES)	Not recommended. Provided for backward compatibility only.
Triple-DES (3DES)	Higher resource usage than DES.
Advanced Encryption Standard-Cipher Block Chaining 128-bit (AES-CBC 128)	Faster and stronger than DES. Supported on Windows Vista and later versions.
AES-CBC 192	Stronger than AES-CBC 128. Medium resource usage. Supported on Windows Vista and later versions.
AES-CBC 256	Strongest security. Highest resource usage. Supported on Windows Vista and later versions.
AES-GCM 128	Quick mode only. Faster and stronger than DES. Supported on Windows Vista and later versions. The same AES-GCM algorithm must be specified for both data integrity and encryption.
AES-GCM 192	Quick mode only. Medium resource usage. Supported on Windows Vista and later versions. The same AES-GCM algorithm must be specified for both data integrity and encryption.
AES-GCM 256	Quick mode only. Faster and stronger than DES. Supported on Windows Vista and later versions. The same AES-GCM algorithm must be specified for both data integrity and encryption.

Supported Key Exchange Algorithms for IPsec Communications in Windows 7

First Authentication Method	Notes
Computer (Kerberos V5)	Compatible with Microsoft Windows 2000 or later versions.
Computer (NTLMv2)	Use on networks that include systems running an earlier version of Windows and on standalone systems.
Computer certificate	The default signing algorithm is RSA, but Elliptic Curve Digital Signature Algorithm (ECDSA)-P256 and ECDSA-P384 are also supported signing algorithms. New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista. Certificate to account mapping is also supported. First authentication can also be configured to accept only health certificates when using a NAP infrastructure.
Pre-shared key	Not recommended.

Supported Second Authentication Methods for IPsec Communications in Windows 7

User (Kerberos V5)	Compatible with Windows 2000 or later versions.
User (NTLMv2)	Use on networks that include systems running an earlier version of Windows and on standalone systems.
User certificate	The default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms. New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista. Certificate to account mapping is also supported.
Computer health certificate	The default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms. New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista. Certificate to account mapping is also supported.