IPsec filter rule order
My understanding is that 2008 Connection Security rules are ordered in the same way as 2003 IPsec filters: i.e. the most specific filter evaluates first. 2003 calculated "weights" for this, 2008 does not so presumably evaluates on the fly?Is there any way to monitor this ordering for Connection Security ruleslike there is in the IP Security Monitor snapin? At the moment I'm having to use a "suck-it-and-see" approach.Also there appears to be a bug in IPsec filtering such that if there were the following filters:192.168.10.0/24 <-> 192.168.10.0/24192.168.10.1 <-> 192.168.0.0/16The Subnet-Subnetfilter would evaluate BEFORE the SpecificIP-Subnet because the Subnet was less specific (2003 ignores the specific IP in this case which is not as it should be). I'm sure this is something SP2 broke because I'm sure this didn't use to happen? To fix this now requires an additional filter of:192.168.10.1 <-> 192.168.10.0/24Multiple this fix by the number of filters and subnets in use and it is a major headache!I have yet to determine if Connection Security makes the same mistake: Does anyone know? Does anyone know why this filter ordering has broken?Paul
August 6th, 2009 1:26pm

I am still struggling with Connection Security doing "unpredictable" things so I'll try rewording my question...Back in the 2003 days IPsec rule ordering was well documented and the applied results would display in the IP Security Monitor so you could ensure that filters were evaluated in the order you intended. A much referenced article on ordering was:http://technet.microsoft.com/en-gb/library/bb877982.aspxNow how do I know what 2008 is doing with filter ordering in Connection Security? Is there a similar document explaining the ordering? Is there any way to view the actual result of what is applied and in what order?I should also make it clear that the bug discribed above only applies to IPsec policies applied to Windows 2003: I can be confident it is a bug because the 2003 IP Security Monitor actually displays the filters in the incorrect order. How can I be confident 2008 gets it right with Connection Security filters when it will provide no such monitoring (seemingly)?Paul
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2009 10:27am

The reply is late, but hopefully it will help others : You can get the filter weights using WFP, open an admin command prompt and type the following : netsh wfp show state An XML file would be dumped. In that XML file lookup your policy name in a filter. The filter will have a layer, sublayer and equivalent weight. Higher equivalent weight means a more specified filter and a higher precidence. In a sublayer, once a permit or block is hit , no other filter in same sublayer is evaluated. There could be other reasons for only one of them being triggered. A filter looks something like (I have anonymized the values) : <item> <filterKey>{filterkey guid}</filterKey> <displayData> <name>Policy Name</name> <description/> </displayData> <flags/> <providerKey>{provider key guid}</providerKey> <providerData> <data>1b5c040000000000</data> <asString>.\......</asString> </providerData> Layer and sublayer : <layerKey>FWPM_LAYER_INBOUND_TRANSPORT_V4</layerKey> <subLayerKey>FWPM_SUBLAYER_UNIVERSAL</subLayerKey> <weight> <type>FWP_EMPTY</type> </weight> <filterCondition numItems="3"> <item> <fieldKey>FWPM_CONDITION_IP_REMOTE_ADDRESS</fieldKey> <matchType>FWP_MATCH_RANGE</matchType> <conditionValue> <type>FWP_RANGE_TYPE</type> <rangeValue> <valueLow> <type>FWP_UINT32</type> <uint32>10.10.10.1<uint32> </valueLow> <valueHigh> <type>FWP_UINT32</type> <uint32>10.10.10.255</uint32> </valueHigh> </rangeValue> </conditionValue> </item> <item> || Check that the profile here is the profile your interface us using. <fieldKey>FWPM_CONDITION_CURRENT_PROFILE_ID</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_UINT32</type> <uint32>3</uint32> </conditionValue> </item> <item> <fieldKey>FWPM_CONDITION_IP_LOCAL_ADDRESS_TYPE</fieldKey> <matchType>FWP_MATCH_EQUAL</matchType> <conditionValue> <type>FWP_UINT8</type> <uint8>1</uint8> </conditionValue> </item> </filterCondition> <action> <type>FWP_ACTION_PERMIT</type> <filterType/> </action> <rawContext>0</rawContext> <reserved/> <filterId>4412316</filterId> || This is the weight, a higher weight means a more specific filter <effectiveWeight> <type>FWP_UINT64</type> <uint64>486397555849036031</uint64> </effectiveWeight> </item> ======== I contribute to this forum in personal capacity, my answers are not official MSFT viewpoints and MSFT will not take responsibility for my postings.
June 12th, 2011 5:12am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics