Ipsec quick mode not encrypting payload when using certificate as authentication
The admin before me setup a connection security rule for our Domain Controllers to request ingoing and outgoing authentication using a computer certificate on all traffic (ie all interfaces, addresses etc). The IPsec Settings tab -> IPsec Defaults is set on Default on all, ie key exchange, data protection and authentication. As far as I have understood the connection security rule overrides the authentication method in the ipsec settings, ie use certificates instead of kerberos. But shouldn't the default data protection setting kick in and use ESP payload encryption on the messages even though another authentication method is used? The DC:s negotiate and authenticate each other but when I watch the quick mode SA:s (in the advances firewall snap-in) the ESP Encryption field says None on both DC:s? This is on Server 2008R2 Standard SP1.
September 26th, 2012 4:26am

I'll answer my own question after reading up a little bit more last night. By default, connection security rules do not encrypt data, they protect against spoofing, altered data and replay attacks, ie authentication and data integrity. To turn on encryption for connection security rules you have to open up advanced firewall properties, go to the IPsec Settings tab, choose customize, choose the Advanced radio button under the "Data protection" heading and click Customize, then mark the checkbox "Require encryption for all connection security rules that use there settings." That said, the recommended way is to leave connection security rules to it's default settings and use IPsec policies if you need to encrypt data. This recommendation comes from MS Self-Paced Training Kit for exam 70-642 (which is a good book I can recommend) page 274.
Free Windows Admin Tool Kit Click here and download it now
September 27th, 2012 4:42am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics