Forcing use of ipsec

[Tobias Lohner]

Hello,

is there a way to force win 2k to use ipsec for communicating with other
computers throu an vpn-gateway? In my current configuration the clients
within the same subnet can communicate unsecured together.

Tobias

 

[Herb Martin]

An IPSec Policy can do this.

You must set a policy in such a way (like subnet masks) that
you allow communication unsecured with the stations that
do not require it and require IPSec on others.

You can write three types of IPSec filters, Block (no communication),
Pass (no IPsec), or Negotiate (and there are three types of this...)

IPSec policies can be Require (IPSec or no comms), Request (attempt
to use IPSec but continue anyway), or Respond (IPSec only if asked
by partner.)

To do IPSec at least one of the two stations must Require/Request and
the other must use at least Respond.

 

[David Beder [MSFT]]

re-posting as I haven't seen my response shown up yet...

 

[Boyd Benson [MS]]

Tobias,

David is correct - there is no way to delete the "Default Response Rule"
either in the GUI or using IPsecpol.exe.

Here is a very good article which uses Ipsecpol.exe to implement IPsec
policies.
813878 How to Block Specific Network Protocols and Ports by Using IPSec
http://support.microsoft.com/?id=813878

Boyd Benson
Microsoft Technical Support

--------------------

From: "David Beder [MSFT]" <[email protected]>
References: <[email protected]>