Where in the World are the IPSec Policies?
Admin wants to know how IPsec policies can be configured.
I'd like to configure a persistent IP Security (IPSec) policy on my Windows Server 2003 that takes affect if other policies are not available. I can’t find the option in the IPSec Policy Management Console. How can I configure this option?
— Name Withheld
A persistent IPSec policy can be useful in securing a computer when a local or a domain-based IPSec policy cannot be applied (for example, when it's corrupted). However, a persistent policy doesn’t override the local or domain-based policy; it's only used when other policies are not available. Before I address the answer, let me describe a couple of tools that are related to IPSec configuration–IPSecPol.exe and netsh.
The Windows 2000 Server Resource Kit contains a command-line utility called IPSecPol.exe that can be used to configure IPSec in Active Directory or in the registry (either local or remote). You can run IPSecPol.exe either in default dynamic mode, or the static mode. The two modes are mutually exclusive. You can use the dynamic mode if your computer is using a domain policy and you want to securely communicate using IPSec with computers that are not covered by the domain policy.
In Windows Server 2003, the IPSec options in the netsh utility replace the IPSecPol.exe tool. Netsh is a command-line utility that can come handy if you want to automate the IPSec configuration. You cannot configure the persistent IPSec policies in the IPSec Policy Management Console, as you have already discovered. You must use the netsh command for persistent IPSec policy. By the way, although netsh can be used in Windows XP, you won’t find the IPSec options for netsh in Windows XP because they are only available in Windows Server 2003.
In Windows Server 2003, you can use "netsh ipsec static" commands to create, modify, or assign IPSec policies without affecting your active IPSec policy. If you want to affect the active IPSec policy immediately then use the "netsh ipsec dynamic" commands.
You can use the netsh command-line tool to create a persistent policy by using the following command:
Netsh ipsec static set store location=persistent
This policy will be applied before the local or domain-based policy to keep your computer secure. However, if there’s a local or domain-based policy in the Active Directory available, the persistent IPSec policy will not be used. It will only be used when the other policies are not available.
If you know of any other tools to configure IPSec persistent policies that you would like to share, or if you are aware of any other workarounds, I would love to hear from you. You can contact me at firstname.lastname@example.org.
Zubair Alexander, MCSE, MCT, MCSA and Microsoft MVP is the founder of SeattlePro Enterprises, an IT training and consulting business. His experience covers a wide range of spectrum: trainer, consultant, systems administrator, security architect, network engineer, author, technical editor, college instructor and public speaker. Zubair holds more than 25 technical certifications and Bachelor of Science degrees in Aeronautics & Astronautics Engineering, Mathematics and Computer Information Systems. His Web site, www.techgalaxy.net, is dedicated to technical resources for IT professionals. Zubair may be reached at email@example.com.