When setting up an IPSec security policy, i can specify a filter action that requires Integrity and encryption. The label under this option states "Data will be encrypted, verified as authentic, and unmodified". in windows firewall with advanced security, i can specify an inbound IPSec rules that is authenticated, integerity protected, AND ENCRYPTED. the label reads: require privacy in addition to integrity and authentication. My question is, what is the difference between the encryption in the security policy, and the encryption in windows firewall? is the local security policy encrypting only the authentication data but not the information in the IP packet?? i'm a little confused

Hi rickbud7, Thank you for your post. IPSec rule could be applied to Windows 2008 to IPSec security policy in GP or connection security rules in WFAS. Connection security rules enhance the IPSec function in IPSec security policy. They could work together between 2008 based computer and 2003 based computer. When you configure firewall inbound Policy Allow the connection if it is authenticated and integrity-protected interface, you could click learn more about these settings link. The link show: Allow the connection if it is authenticated and integrity-protected This is the default option. Use this option to require that all matching network packets use both IPSec authentication and integrity algorithms as defined in a separate connection security rule. If a network packet matching all other criteria is neither authenticated nor protected with an integrity algorithm, then it does not match this rule and is blocked. That explain when traffic come to Windows 2008, it check firewall inbound rule then check connection security rules. No IPSec configuration details in firewall inbound rule. When no connection security rules fit the come IPSec traffic, the coming packet will be dropped. Local security policy should encrypt and verify authentication and information data. Please refer to KB942957 to know the IPSec details for IPSec security policy and connection security rules. Regards, Rick Tan