Specifying the computer's IPsec settings
Configure the computer's IPsec SA settings, so that they exactly match the machine's security level on the machine. Setting methods differ according to the computer's operating system. The example procedure shown here uses Windows 10 when the "Authentication and Low Level Encryption" security level is selected.
Right-click the [Start] button, click [Control Panel], [System and Security], and then [Administrative Tools].
Under Windows 7, click the [Start] button, and click [Control Panel], [System and Security], and then [Administrative Tools].
Under Windows 8, hover the mouse pointer over the top- or bottom-right corner of the screen, and then click [Settings], [Control Panel], [System and Security], and then [Administrative Tools].
Double-click [Local Security Policy].
If the "User Account Control" dialog box appears, click [Yes].
Right-click [IP Security Policies on Local Computer].
Under Windows 7/8, double-click [IP Security Policies on Local Computer].
Click [Create IP Security Policy].
Under Windows 7/8, click [Create IP Security Policy] in the "Action" menu.
The IP Security Policy Wizard appears.
Click [Next].
Enter a security policy name in "Name", and then click [Next].
Clear the "Activate the default response rule" check box, and then click [Next].
Select "Edit properties", and then click [Finish].
In the "General" tab, click [Settings].
In "Authenticate and generate a new key after every", enter the same validity period (in minutes) that is specified on the machine in "Encryption Key Auto Exchange SettingsPhase 1", and then click [Methods].
Check that the hash algorithm ("Integrity"), encryption algorithm ("Encryption") and "Diffie-Hellman Group" settings in "Security method preference order" all match those specified on the machine in "Encryption Key Auto Exchange SettingsPhase 1".
If the settings are not displayed, click [Add].
Click [OK] twice.
Click [Add] in the "Rules" tab.
The Security Rule Wizard appears.
Click [Next].
Select "This rule does not specify a tunnel", and then click [Next].
Select the type of network for IPsec, and then click [Next].
Click [Add] in the IP Filter List.
In [Name], enter an IP Filter name, and then click [Add].
The IP Filter Wizard appears.
Click [Next].
If required, enter a description of the IP filter, and then click [Next].
Select "My IP Address" in "Source address", and then click [Next].
Select "A specific IP Address or Subnet" in "Destination address", enter the machine's IP address, and then click [Next].
Select the protocol type for IPsec, and then click [Next].
If you select "TCP" or "UDP", specify both source and destination ports, and then click [Next].
Click [Finish].
Click [OK].
Select the IP filter that was just created, and then click [Next].
Click [Add].
Filter action wizard appears.
Click [Next].
In [Name], enter an IP Filter action name, and then click [Next].
Select "Negotiate security", and then click [Next].
Select "Allow unsecured communication if a secure connection cannot be established.", and then click [Next].
Select "Custom" and click [Settings].
In "Integrity algorithm", select the authentication algorithm that was specified on the machine in "Encryption Key Auto Exchange SettingsPhase 2".
In "Encryption algorithm", select the encryption algorithm that specified on the machine in "Encryption Key Auto Exchange SettingsPhase 2".
In "Session key settings", select "Generate a new key every", and enter the validity period (in seconds) that was specified on the machine in "Encryption Key Auto Exchange SettingsPhase 2".
Click [OK].
Click [Next].
Click [Finish].
Select the filter action that was just created, and then click [Next].
If you set "Encryption Key Auto Exchange Settings" to "Authentication and High Level Encryption", select the IP filter action that was just created, click [Edit], and then check "Use session key perfect forward secrecy (PFS)" on the filter action properties dialog box. If using PFS in Windows, the PFS group number used in phase 2 is automatically negotiated in phase 1 from the Diffie-Hellman group number (set in Step 11). Consequently, if you change the security level specified automatic settings on the machine and “User Setting” appears, you must set the same the group number for "Phase 1Diffie-Hellman Group" and "Phase 2PFS" on the machine to establish IPsec transmission.
Select the authentication method, and then click [Next].
If you select "Certificate" for authentication method in "Encryption Key Auto Exchange Settings" on the machine, specify the device certificate. If you select "PSK", enter the same PSK text specified on the machine with the pre-shared key.
Click [Finish].
If you are using IPv6, you must repeat this procedure from Step 13 and add ICMPv6 as an exception.
When you reach step 23, select [58] as the protocol number for the "Other" target protocol type, and then set [Negotiate security] to [Permit].
Click [OK].
The new IP security policy (IPsec settings) is specified.
Select the security policy that was just created, right-click, and then click [Assign].
The computer's IPsec settings are enabled. If you click [Un-assign], the computer's IPsec settings are disabled.