IPSec set AH and ESP, active policy questions
chief120
Member Posts: 6 ■□□□□□□□□□
I have been studying Technet IPSec articles. It's starting to make sense but I have a couple of questions.
1. I know the difference between AH and ESP. Where can you specify if you want to use AH or ESP using the more secure IPSec policies provided by Windows Firewall with Advanced Security? I found in Group Policy you can set it under Computer Configuration\Windows settings\security settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP...\Windows Firewall Properties\ IPSec Settings tab\IPSec Defaults Customize button\Data protection section. Is there a way to configure this on a per Connection Security Rule basis? I looked through the tabs and nothing jumped out at me.
2. I found the following note in one of the articles: "Only one IPsec policy can be active on a computer at a time. The Group Policy Management Editor allows you to specify only one active IPsec policy in a GPO, but if multiple GPOs with IPsec policies apply to a computer, then the IPsec policy that applies to the computer depends on the precedence of the GPOs and the order in which they are applied." (Assign an IPsec Policy to a GPO for Earlier Versions of Windows). Does that just apply to the IPSec policies created for backwards compatibility, as found in Group Policy under Computer Configuration\Windows settings\IP Security Policies? I've been trying to wrap my brain around how I could create one IPSec policy per server or OU or whatever that would keep it secure yet allow non domain joined devices or what have you to communicate with it.
Thanks!
Matthew
1. I know the difference between AH and ESP. Where can you specify if you want to use AH or ESP using the more secure IPSec policies provided by Windows Firewall with Advanced Security? I found in Group Policy you can set it under Computer Configuration\Windows settings\security settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP...\Windows Firewall Properties\ IPSec Settings tab\IPSec Defaults Customize button\Data protection section. Is there a way to configure this on a per Connection Security Rule basis? I looked through the tabs and nothing jumped out at me.
2. I found the following note in one of the articles: "Only one IPsec policy can be active on a computer at a time. The Group Policy Management Editor allows you to specify only one active IPsec policy in a GPO, but if multiple GPOs with IPsec policies apply to a computer, then the IPsec policy that applies to the computer depends on the precedence of the GPOs and the order in which they are applied." (Assign an IPsec Policy to a GPO for Earlier Versions of Windows). Does that just apply to the IPSec policies created for backwards compatibility, as found in Group Policy under Computer Configuration\Windows settings\IP Security Policies? I've been trying to wrap my brain around how I could create one IPSec policy per server or OU or whatever that would keep it secure yet allow non domain joined devices or what have you to communicate with it.
Thanks!
Matthew