Specifying IPsec settings on the computer
Specify exactly the same settings for IPsec SA settings on your computer as are specified by the machine's security level on the machine. Setting methods differ according to the computer's operating system. The example procedure shown here uses Windows XP when the Authentication and Low Level Encryption Security level is selected.
On the [Start] menu, click [Control Panel], click [Performance and Maintenance], and then click [Administrative Tools].
Click [Local Security Policy].
Click [IP Security Policies on Local Computer].
In the "Action" menu, click [Create IP Security Policy].
The IP Security Policy Wizard appears.
Click [Next].
Enter a security policy name in "Name", and then click [Next].
Clear the "Activate the default response rule" check box, and then click [Next].
Select "Edit properties", and then click [Finish].
In the "General" tab, click [Advanced].
In "Authenticate and generate a new key after every" enter the same validity period (in minutes) that is specified on the machine in Encryption Key Auto Exchange Settings Phase 1, and then click [Methods].
Confirm that the combination of hash algorithm (on Windows XP, "Integrity"), the encryption algorithm (on Windows XP, "Encryption"), and the Diffie-Hellman group settings in "Security method preference order" match the settings specified on the machine in Encryption Key Auto Exchange Settings Phase 1.
If the settings are not displayed, click [Add].
Click [OK] twice.
Click [Add] in the "Rules" Tab.
The Security Rule Wizard appears.
Click [Next].
Select "This rule does not specify a tunnel", and then click [Next].
Select the type of network for IPsec, and then click [Next].
Select the "initial authentication method", and then click [Next].
If you select "Certificate" for authentication method in Encryption Key Auto Exchange Settings on the machine, specify the device certificate. If you select PSK, enter the same PSK text specified on the machine with the pre-shared key.
Click [Add] in the IP Filter List.
In [Name], enter an IP Filter name, and then click [Add].
The IP Filter Wizard appears.
Click [Next].
Select "My Address" in "Source Address", and then click [Next].
Select "A specific IP address" in "Destination Address", enter the machine's IP address, and then click [Next].
Select the protocol type for IPsec, and then click [Next].
Click [Finish].
Click [OK].
Select the IP filter that was just created, and then click [Next].
Select the IPsec security filter, and then click [Edit].
Click [Add], select the "Custom" check box, and then click [Settings].
In "Integrity algorithm", select the authentication algorithm that was specified on the machine in Encryption Key Auto Exchange Settings Phase 2.
In "Encryption algorithm", select the encryption algorithm that specified on the machine in Encryption Key Auto Exchange Settings Phase 2.
In Session Key settings, select "Generate a new key every", and enter the validity period (in seconds) that was specified on the machine in Encryption Key Auto Exchange Settings Phase 2.
Click [OK] three times.
Click [Next].
Click [Finish].
Click [OK].
Click [Close].
The new IP security policy (IPsec settings) is specified.
Select the security policy that was just created, right click, and then click [Assign].
IPsec settings on the computer are enabled.
To disable the computer's IPsec settings, select the security policy, right click, and then click [Un-assign].
If you specify the "Authentication and High Level Encryption" security level in encryption key auto exchange settings, also select the "Master key perfect forward secrecy (PFS)" check box in the Security Filter Properties screen (which appears in step 29). If using PFS in Windows XP, the PFS group number used in phase 2 is automatically negotiated in phase 1 from the Diffie-Hellman group number (set in step 11). Consequently, if you change the security level specified automatic settings on the machine and "User Setting" appears, you must set the same the group number for "Phase 1 Diffie-Hellman Group" and "Phase 2 PFS" on the machine to establish IPsec transmission.
