Windows 7 / Networking

Supported IPsec Settings for Connection Security Rules

Connection security rules use IPsec to protect traffic between the local computer and other computers on the network. IPsec is an industry-standard set of protocols for protecting communications over IP networks using cryptographic security services. IPsec can provide network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection to ensure the security of traffic as it passes across a network. For general information concerning IPsec concepts and how IPsec can be used to protect a network, see the resources available at http://www.microsoft.com/IPsec/.

The range of IPsec features supported previously in the Windows Vista RTM has been expanded, first in Windows Vista SP1 and later versions in Windows 7 to include new security methods, data integrity algorithms, data encryption algorithms, and authentication protocols. Tables below summarize the key exchange algorithms, data protection (integrity or encryption) algorithms, and authentication methods now supported for IPsec communications in Windows 7. Note that some algorithms are supported only for main mode or quick mode, and different authentication methods are supported for first and second authentication.

Supported Key Exchange Algorithms for IPsec Communications in Windows 7

Key Exchange AlgorithmNotes
Diffie-Hellman Group 1 (DH Group 1)Not recommended.
Provided for backward compatibility only.
DH Group 2Stronger than DH Group 1.
DH Group 14Stronger than DH Group 2.
Elliptic Curve Diffie-Hellman P-256Stronger than DH Group 2.
Medium resource usage.
Compatible only with Windows Vista and later versions.
Elliptic Curve Diffie-Hellman P-384Strongest security.
Highest resource usage.
Compatible only with Windows Vista and later versions.

Supported Data Integrity Algorithms for IPsec Communications in Windows 7

Data Integrity AlgorithmNotes
Message-Digest algorithm 5 (MD5)Not recommended.
Provided for backward compatibility only.
Secure Hash Algorithm 1 (SHA-1)Stronger than MD5 but uses more resources.
SHA 256-bit (SHA-256)Main mode only.
Supported on Windows Vista SP1 and later versions.
SHA-384Main mode only.
Supported on Windows Vista SP1 and later versions.
Advanced Encryption Standard-Galois Message Authentication Code 128 bit (AES-GMAC 128)Quick mode only.
Supported on Windows Vista SP1 and later versions.
Equivalent to AES-GCM 128 for integrity.
AES-GMAC 192Quick mode only.
Supported on Windows Vista SP1 and later versions.
Equivalent to AES-GCM 192 for integrity.
AES-GMAC 256Quick mode only.
Supported on Windows Vista SP1 and later versions.
Equivalent to AES-GCM 256 for integrity.
AES-GCM 128Quick mode only.
Supported on Windows Vista SP1 and later versions.
Equivalent to AES-GMAC 128 for integrity.
AES-GCM 192Quick mode only.
Supported on Windows Vista SP1 and later versions.
Equivalent to AES-GMAC 192 for integrity.
AES-GCM 256Quick mode only.
Supported on Windows Vista SP1 and later versions.
Equivalent to AES-GMAC 256 for integrity.

Supported Data Encryption Algorithms for IPsec Communications in Windows 7

Data Encryption AlgorithmNotes
Data Encryption Standard (DES)Not recommended.
Provided for backward compatibility only.
Triple-DES (3DES)Higher resource usage than DES.
Advanced Encryption Standard-Cipher
Block Chaining 128-bit (AES-CBC 128)
Faster and stronger than DES.
Supported on Windows Vista and later versions.
AES-CBC 192Stronger than AES-CBC 128.
Medium resource usage.
Supported on Windows Vista and later versions.
AES-CBC 256Strongest security.
Highest resource usage.
Supported on Windows Vista and later versions.
AES-GCM 128Quick mode only.
Faster and stronger than DES.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be specified for both data integrity and encryption.
AES-GCM 192Quick mode only.
Medium resource usage.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be specified for both data integrity and encryption.
AES-GCM 256Quick mode only.
Faster and stronger than DES.
Supported on Windows Vista and later versions.
The same AES-GCM algorithm must be specified for both data integrity and encryption.

Supported Key Exchange Algorithms for IPsec Communications in Windows 7

First Authentication MethodNotes
Computer (Kerberos V5)Compatible with Microsoft Windows 2000 or later versions.
Computer (NTLMv2)Use on networks that include systems running an earlier version of Windows and on standalone systems.
Computer certificateThe default signing algorithm is RSA, but Elliptic Curve Digital Signature Algorithm (ECDSA)-P256 and ECDSA-P384 are also supported signing algorithms.
New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista.
Certificate to account mapping is also supported.
First authentication can also be configured to accept only health certificates when using a NAP infrastructure.
Pre-shared keyNot recommended.

Supported Second Authentication Methods for IPsec Communications in Windows 7

User (Kerberos V5)Compatible with Windows 2000 or later versions.
User (NTLMv2)Use on networks that include systems running an earlier version of Windows and on standalone systems.
User certificateThe default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms.
New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista.
Certificate to account mapping is also supported.
Computer health certificateThe default signing algorithm is RSA, but ECDSA-P256 and ECDSA-P384 are also supported signing algorithms.
New in Windows 7 is added support for using an intermediate CA as a certificate store in addition to using a root CA as was previously supported in Windows Vista.
Certificate to account mapping is also supported.
[Previous] [Contents] [Next]

In this tutorial:

  1. Configuring Windows Firewall and IPsec
  2. Understanding Windows Firewall with Advanced Security
  3. Improvements to Windows Firewall Introduced Previously in Windows Vista
  4. Additional Improvements to Windows Firewall in Windows 7
  5. Understanding the Windows Filtering Platform
  6. Windows Firewall and the Startup Process
  7. Understanding Windows Service Hardening
  8. Understanding Service SIDs
  9. Windows Firewall and WSH
  10. Windows Firewall and Service Triggers
  11. Understanding Multiple Active Firewall Profiles
  12. Understanding Rules
  13. Understanding Firewall Rules
  14. Inbound vs . Outbound Rules
  15. Allow vs . Block Rules
  16. Allow If Secure Rules
  17. Authenticated Bypass Rules
  18. Filtering Conditions FOR Firewall RULES
  19. Understanding Connection Security Rules
  20. Types of Connection Security Rules
  21. Supported IPsec Settings for Connection Security Rules
  22. Default IPsec Settings for Connection Security Rules
  23. Windows Firewall and Windows PE
  24. Understanding Default Rules
  25. Understanding WSH Rules
  26. Understanding Rules Processing
  27. Managing Windows Firewall with Advanced Security
  28. Tools for Managing Windows Firewall with Advanced Security
  29. Managing Windows Firewall Using Control Panel
  30. Managing Windows Firewall Using the Windows Firewall with Advanced Security Snap-in
  31. Managing Windows Firewall Using Group Policy
  32. Considerations When Managing Windows Firewall Using Group Policy
  33. Managing Windows Firewall Using the Netsh Command
  34. Common Management Tasks
  35. Enabling or Disabling Windows Firewall
  36. Configuring Firewall Profiles and IPsec Settings by Using Group Policy
  37. Creating and Configuring Firewall Rules
  38. Creating and Configuring Connection Security Rules
  39. Monitoring Windows Firewall
  40. Troubleshooting Windows Firewall
  41. Troubleshooting Windows Firewall Using Firewall Logs
  42. Troubleshooting Windows Firewall Using Event Logs
  43. Troubleshooting Windows Firewall Using Auditing
  44. Troubleshooting IPsec Issues Using Netsh Wfp
  45. Troubleshooting Windows Filtering Platform and IPsec Issues Using Netsh Trace