Before you start to configure IPSec, you should be aware of the following.
Before you create and apply IPSec policies to block ports and protocols, make sure you know which communication you need to secure including the ports and protocols used by day-to-day operations. Consider the protocol and port requirements for remote administration, application communication, and authentication.
Several types of IP traffic are exempt from filtering. For more information, see Microsoft Knowledge Base article 253169, "Traffic That Can and Cannot Be Secured by IPSec."
If a firewall separates two hosts that use IPSec to secure the communication channel, the firewall must open the following ports:
TCP port 50 for IPSec Encapsulating Security Protocol (ESP) traffic
TCP port 51 for IPSec Authentication Header (AH) traffic
UDP port 500 for Internet Key Exchange (IKE) negotiation traffic
An IPSec policy consists of a set of filters, filter actions, and rules.
Filters
A filter is used to match traffic. It consists of:
A source IP address or range of addresses
A destination IP address or range of addresses
An IP protocol, such as TCP, UDP, or "any"
Source and destination ports (for TCP or UDP only)
Note | An IP filter list is used to group multiple filters together so that multiple IP addresses and protocols can be combined into a single filter. |
Filter Actions
A filter action specifies which actions to take when a given filter is invoked. It can be one of the following:
Permit . The traffic is not secured; it is allowed to be sent and received without intervention.
Block . The traffic is not permitted.
Negotiate security . The endpoints must agree on and then use a secure method to communicate. If they cannot agree on a method, the communication does not take place. If negotiation fails, you can specify whether to allow unsecured communication or to whether all communication should be blocked.
Rules
A rule associates a filter with a filter action and is defined by the IPSec policy.