Can vista pass traffic in clear when security connection rule is u - Network

This is a discussion on Can vista pass traffic in clear when security connection rule is u - Network ; I configured a security connection rule in windows firewall and advanced security snap-in and was able to establish IPSec SAs with another device. It looks that the connection rule applies to all traffic and can't be configured based on protocol ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Can vista pass traffic in clear when security connection rule is u

  1. Can vista pass traffic in clear when security connection rule is u

    I configured a security connection rule in windows firewall and advanced
    security snap-in and was able to establish IPSec SAs with another device. It
    looks that the connection rule applies to all traffic and can't be configured
    based on protocol or port(please confirm it's true). Now I hope to bypass
    certain traffic(on some destination port) by clear text. I tried using the
    firewall part to add an inbound and an outbound rule to allow traffic to go
    through, it ends up traffic is still encrypted using IPSec and there is no
    difference between the inbound/outbound rules are configured as requiring
    security or allow connection. and they behaved the same as no firewall rules
    are added for the specific port. IPSec applies to all traffic. Is this the
    correct behavior or I misconfigured something? Thanks!

    Tinghua

  2. RE: Can vista pass traffic in clear when security connection rule is u

    HI Tinghua, you need to use netsh advfirewall consec rules to define protocol
    and port specific IPsec rules. Protocol & port specific rules are not
    supported in the WFAS GUI. Think of the WFAS GUI as a tool to address a
    particular limited IPsec scenario, e.g. domain isolation, instead of a
    full-featured IPsec policy editor.

    You can still use the MMC IPsec Policy Management snapin (but not the
    default response rule) and apply both a WFAS IPsec policy and a legacy
    policy. The two should merge. But in the MMC IPsec Monitor snapin & netsh
    ipsec dynamic show all you will not see the newer WFAS policy filters. There
    are no tools available yet to show all the policy filters from both WFAS and
    legacy policy.

    "Tinghua" wrote:

    > I configured a security connection rule in windows firewall and advanced
    > security snap-in and was able to establish IPSec SAs with another device. It
    > looks that the connection rule applies to all traffic and can't be configured
    > based on protocol or port(please confirm it's true). Now I hope to bypass
    > certain traffic(on some destination port) by clear text. I tried using the
    > firewall part to add an inbound and an outbound rule to allow traffic to go
    > through, it ends up traffic is still encrypted using IPSec and there is no
    > difference between the inbound/outbound rules are configured as requiring
    > security or allow connection. and they behaved the same as no firewall rules
    > are added for the specific port. IPSec applies to all traffic. Is this the
    > correct behavior or I misconfigured something? Thanks!
    >
    > Tinghua


  3. RE: Can vista pass traffic in clear when security connection rule

    Hi Bill

    Thanks a lot! That really helps.

    Tinghua

    "Bill" wrote:

    > HI Tinghua, you need to use netsh advfirewall consec rules to define protocol
    > and port specific IPsec rules. Protocol & port specific rules are not
    > supported in the WFAS GUI. Think of the WFAS GUI as a tool to address a
    > particular limited IPsec scenario, e.g. domain isolation, instead of a
    > full-featured IPsec policy editor.
    >
    > You can still use the MMC IPsec Policy Management snapin (but not the
    > default response rule) and apply both a WFAS IPsec policy and a legacy
    > policy. The two should merge. But in the MMC IPsec Monitor snapin & netsh
    > ipsec dynamic show all you will not see the newer WFAS policy filters. There
    > are no tools available yet to show all the policy filters from both WFAS and
    > legacy policy.
    >
    > "Tinghua" wrote:
    >
    > > I configured a security connection rule in windows firewall and advanced
    > > security snap-in and was able to establish IPSec SAs with another device. It
    > > looks that the connection rule applies to all traffic and can't be configured
    > > based on protocol or port(please confirm it's true). Now I hope to bypass
    > > certain traffic(on some destination port) by clear text. I tried using the
    > > firewall part to add an inbound and an outbound rule to allow traffic to go
    > > through, it ends up traffic is still encrypted using IPSec and there is no
    > > difference between the inbound/outbound rules are configured as requiring
    > > security or allow connection. and they behaved the same as no firewall rules
    > > are added for the specific port. IPSec applies to all traffic. Is this the
    > > correct behavior or I misconfigured something? Thanks!
    > >
    > > Tinghua


+ Reply to Thread