Configure the computer's IPsec SA settings, so that they exactly match the machine's security level on the machine. Setting methods differ according to the computer's operating system. The example procedure shown here uses Windows 7 when the "Authentication and Low Level Encryption" security level is selected.
On the [Start] menu, click [Control Panel], click [System and Security], and then click [Administrative Tools].
Under Windows 8, hover the mouse pointer over the top- or bottom-right corner of the screen, and then click [Settings], [Control Panel], [System and Security], and then [Administrative Tools].
Under Windows 10, right-click the [Start] button, click [System and Security], and then click [Administrative Tools].
Double-click [Local Security Policy].
If the "User Account Control" dialog box appears, click [Yes].
Double-click [IP Security Policies on Local Computer].
In the "Action" menu, click [Create IP Security Policy].
The IP Security Policy Wizard appears.
Click [Next].
Enter a security policy name in "Name", and then click [Next].
Clear the "Activate the default response rule" check box, and then click [Next].
Select "Edit properties", and then click [Finish].
In the "General" tab, click [Settings].
In "Authenticate and generate a new key after every", enter the same validity period (in minutes) that is specified on the machine in "Encryption Key Auto Exchange Settings Phase 1", and then click [Methods].
Check that the hash algorithm ("Integrity"), encryption algorithm ("Encryption") and "Diffie-Hellman Group" settings in "Security method preference order" all match those specified on the machine in "Encryption Key Auto Exchange Settings Phase 1".
If the settings are not displayed, click [Add].
Click [OK] twice.
Click [Add] in the "Rules" tab.
The Security Rule Wizard appears.
Click [Next].
Select "This rule does not specify a tunnel", and then click [Next].
Select the type of network for IPsec, and then click [Next].
Click [Add] in the IP Filter List.
In [Name], enter an IP Filter name, and then click [Add].
The IP Filter Wizard appears.
Click [Next].
If required, enter a description of the IP filter, and then click [Next].
Select "My IP Address" in "Source address", and then click [Next].
Select "A specific IP Address or Subnet" in "Destination address", enter the machine's IP address, and then click [Next].
Select the protocol type for IPsec, and then click [Next].
If you are using IPsec with IPv6, select "58" as the protocol number for the "Other" target protocol type.
If you select "TCP" or "UDP", specify both source and destination ports, and then click [Next].
Click [Finish].
Click [OK].
Select the IP filter that was just created, and then click [Next].
Click [Add].
Filter action wizard appears.
Click [Next].
In [Name], enter an IP Filter action name, and then click [Next].
Select "Negotiate security", and then click [Next].
Select "Allow unsecured communication if a secure connection cannot be established.", and then click [Next].
Select "Custom" and click [Settings].
In "Integrity algorithm", select the authentication algorithm that was specified on the machine in "Encryption Key Auto Exchange Settings Phase 2".
In "Encryption algorithm", select the encryption algorithm that specified on the machine in "Encryption Key Auto Exchange Settings Phase 2".
In "Session key settings", select "Generate a new key every", and enter the validity period (in seconds) that was specified on the machine in "Encryption Key Auto Exchange Settings Phase 2".
Click [OK].
Click [Next].
Click [Finish].
Select the filter action that was just created, and then click [Next].
If you set "Encryption Key Auto Exchange Settings" to "Authentication and High Level Encryption", select the IP filter action that was just created, click [Edit], and then check "Use session key perfect forward secrecy (PFS)" on the filter action properties dialog box. If using PFS in Windows, the PFS group number used in phase 2 is automatically negotiated in phase 1 from the Diffie-Hellman group number (set in Step 11). Consequently, if you change the security level specified automatic settings on the machine and “User Setting” appears, you must set the same the group number for "Phase 1 Diffie-Hellman Group" and "Phase 2 PFS" on the machine to establish IPsec transmission.
Select the authentication method, and then click [Next].
If you select "Certificate" for authentication method in "Encryption Key Auto Exchange Settings" on the machine, specify the device certificate. If you select "PSK", enter the same PSK text specified on the machine with the pre-shared key.
Click [Finish].
Click [OK].
The new IP security policy (IPsec settings) is specified.
Select the security policy that was just created, right-click, and then click [Assign].
The computer's IPsec settings are enabled.
To disable the computer's IPsec settings, select the security policy, right-click, and then click [Un-assign].