IP Security Protocol (IPSec) in Windows 2000 is designed to
secure IP traffic between two computers that communicate by using their IP
addresses. It uses filters defined in an IPSec policy to classify IP packets.
After a packet is classified (matched to a filter), the configured filter
action takes place.
IPSec is applied to IP packets as they are sent and
received. Packets are matched against filters when they are being sent
(outbound) to see if they should be secured, blocked, or passed in clear text.
Packets are also matched when they are received (inbound) to see if they should
have been secured, should be blocked, or should be passed (permitted) into the
system in clear text.
By design, the following types of IP traffic
are exempted and cannot be secured by IPSec in Windows 2000:
Traffic going from one sender to many
receivers that are unknown to the sender. This type of packet cannot be
classified by IPSec filters. For example, a standard class C subnet using
192.168.0.x would have a broadcast address of 192.168.0.255. Your broadcast
address depends on your subnet mask.
As with Broadcast traffic, one sender sends
an IP packet to many receivers that are unknown to the sender. These are
addresses in the range from 184.108.40.206 through 220.127.116.11.
- Resource Reservation Protocol (RSVP)
This traffic uses
IP protocol 46 and is used to provide Quality Of Service (QoS) in Windows 2000.
Exemption of RSVP traffic is a requirement to allow QOS markings for traffic
that may be secured by IPSec.
- Internet Key Exchange (IKE)
IKE is a protocol used by
IPSec to securely negotiate security parameters (if the filter action indicates
that security needs to be negotiated) and establish shared encryption keys
after a packet is matched to a filter. Windows 2000 always uses a User Datagram
Protocol (UDP) source and destination port 500 for IKE traffic.
Kerberos is the core Windows 2000 security
protocol typically used by IKE for IPSec authentication. This traffic uses a
UDP/TCP protocol source and destination port 88. Kerberos is itself a security
protocol that does not need to be secured by IPSec. The Kerberos exemption is
basically this: If a packet is TCP or UDP and has a source or destination port
= 88, permit.
: These exemptions apply to IPSec transport mode filters for
packets that have a source address of the computer that is sending the packet.
IPSec tunnels can secure only unicast IP traffic. IPSec tunnel-mode filters
also cannot process multicast or broadcast packets. If Kerberos, IKE, or RSVP
packets are received on one adapter and routed out of another adapter (by using
packet forwarding or Routing and Remote Access Services), they are not exempt
from IPSec tunnel-mode filters and could be carried inside the tunnel.
For more information about the IKE protocol see RFC 2409:
provides third-party contact information to help you find technical support.
This contact information may change without notice. Microsoft does not
guarantee the accuracy of this third-party contact
For additional information about RSVP,
click the article number below to view the article in the Microsoft Knowledge
Description of the Resource Reservation Protocol (RSVP)
For more information about Kerberos, see the
"Kerberos V5 Authentication" topic in Windows 2000 Help, and also the technical
documents about Kerberos located at the following Microsoft Web site:
For additional information about the
IPSec feature in Microsoft Windows Server 2003, click the following article
number to view the article in the Microsoft Knowledge Base:
IPSec Default Exemptions Are Removed in Windows Server 2003