Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
Export (0) Print
Expand All

6 Appendix A: Product Behavior

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include released service packs.

Note: Some of the information in this section is subject to change because it applies to an unreleased, preliminary version of the Windows Server operating system, and thus may differ from the final version of the server software when released. All behavior notes that pertain to the unreleased, preliminary version of the Windows Server operating system contain specific references to Windows Server 2016 Technical Preview as an aid to the reader.

  • Windows 2000 operating system

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 Technical Preview operating system

Exceptions, if any, are noted below. If a service pack or Quick Fix Engineering (QFE) number appears with the product version, behavior changed in that service pack or QFE. The new behavior also applies to subsequent service packs of the product unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms SHOULD or SHOULD NOT implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term MAY implies that the product does not follow the prescription.

<1> Section 1.3: IKEv2 Protocol Implementation Notes

[RFC4306] IKEv2 MUST / MUST NOT implementation notes

RFC Requirement

RFC 4306 Section

Compliance statement

"If a node receives a delete request for SAs for which it has already issued a delete request, it MUST delete the outgoing SAs while processing the request and the incoming SAs while processing the response."

Section 1.4

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"Note that Message IDs are cryptographically protected and provide protection against message replays. In the unlikely event that Message IDs grow too large to fit in 32 bits, the IKE_SA MUST be closed."

Section 2.2

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"The management interface by which the Shared Secret is provided MUST accept ASCII strings of at least 64 octets and MUST NOT add a null terminator before using them as shared secrets. It MUST also accept a HEX encoding of the Shared Secret."

Section 2.15

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"IKEv2 simplifies this situation by requiring that ECN be usable in the outer IP headers of all tunnel-mode IPsec SAs created by IKEv2. Specifically, tunnel encapsulators and decapsulators for all tunnel-mode SAs created by IKEv2 MUST support the ECN full-functionality option for tunnels specified in [RFC3168] and MUST implement the tunnel encapsulation and decapsulation processing specified in [RFC4301] to prevent discarding of ECN congestion indications."

Section 3.6

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"MUST be capable of being configured to send and accept the first two Hash and URL formats (with HTTP URLs)."

Section 3.6

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

[RFC4306] IKEv2 SHOULD / SHOULD NOT implementation notes

RFC Requirement

RFC 4306  Section

Compliance statement

"The initiator SHOULD repeat the request, but now with a KEi payload from the group the responder selected."

Section 1.3

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"…regard half-closed connections as anomalous and audit their existence should they persist."

Section 1.4

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"IKEv2 implementations SHOULD be aware of the maximum UDP message size supported."

Section 2

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"An IKE endpoint supporting a window size greater than one SHOULD be capable of processing incoming requests out of order to maximize performance in the event of network failures or packet reordering."

Section 2.4

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"An endpoint SHOULD suspect that the other endpoint has failed based on routing information and initiate a request to see whether the other endpoint is alive."

Section 2.4

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"…implementations SHOULD reject as invalid a message with those payloads in any other order."

Section 2.5

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"Implementations SHOULD support in-place rekeying of SAs."

Section 2.8

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"If redundant SAs are created though such a collision, the SA created with the lowest of the four nonces used in the two exchanges SHOULD be closed by the endpoint that created it."

Section 2.8

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"If an initiator receives a message on an SA for which it has not received a response to its CREATE_CHILD_SA request, it SHOULD interpret that as a likely packet loss and retransmit the CREATE_CHILD_SA request."

Section 2.8

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"If an error occurs outside the context of an IKE request (e.g., the node is getting ESP messages on a nonexistent SPI), the node SHOULD initiate an INFORMATIONAL exchange with a Notify payload describing the problem."

Section 2.21

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"A node SHOULD treat such a message (and also a network message like ICMP destination unreachable) as a hint that there might be problems with SAs to that IP address and SHOULD initiate a liveness test for any such IKE_SA. An implementation SHOULD limit the frequency of such tests."

Section 2.21

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"There are cases where a NAT box decides to remove mappings that are still alive (for example, the keepalive interval is too long, or the NAT box is rebooted). To recover in these cases, hosts that are not behind a NAT SHOULD send all packets (including retransmission packets) to the IP address and port from the last valid authenticated packet from the other end."

Section 2.23

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"To assure maximum interoperability, implementations MUST be configurable to send at least one of ID_IPV4_ADDR, ID_FQDN, ID_RFC822_ADDR, or ID_KEY_ID, and MUST be configurable to accept all of these types. Implementations SHOULD be capable of generating and accepting all of these types."

Section 3.5

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"Implementations SHOULD be capable of being configured to send and accept Raw RSA keys."

Section 3.6

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"Note that since IKE passes an indication of initiator identity in message 3 of the protocol, the responder SHOULD NOT send EAP Identity requests. The initiator SHOULD, however, respond to such requests if it receives them."

Section 3.16

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

[RFC4306] IKEv2 MAY implementation notes

RFC Requirement

RFC 4306 Section

Compliance statement

"The traffic selectors for traffic to be sent on that SA are specified in the TS payloads, which may be a subset of what the initiator of the CHILD_SA proposed."

Section 1.3

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"If the receiving node has an active IKE_SA to the IP address from whence the packet came, it MAY send a notification of the wayward packet over that IKE_SA in an INFORMATIONAL exchange."

Section 1.5

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"IKEv2 implementations SHOULD be aware of the maximum UDP message size supported and MAY shorten messages by leaving out some certificates or cryptographic suite proposals if that will keep messages below the maximum."

Section 2

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"In order to maximize IKE throughput, an IKE endpoint MAY issue multiple requests before getting a response to any of them if the other endpoint has indicated its ability to handle such requests. For simplicity, an IKE implementation MAY choose to process requests strictly in order and/or wait for a response to one request before issuing another."

Section 2.3

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"To prevent this, the initiator MAY be willing to accept multiple responses to its first message, treat each as potentially legitimate, respond to it, and then discard all the invalid half-open connections when it receives a valid cryptographically protected response to any one of its requests."

Section 2.4

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"The responder in that case MAY reject the message by sending another response with a new cookie or it MAY keep the old value of <secret> around for a short time and accept cookies computed from either one."

Section 2.6

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"An implementation MAY refuse all CREATE_CHILD_SA requests within an IKE_SA."

Section 2.8

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"An initiator MAY send a dummy message on a newly created SA if it has no messages queued in order to assure the responder that the initiator is ready to receive messages."

Section 2.8

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"If more than one subset is acceptable but their union is not, the responder MUST accept some subset and MAY include a Notify payload of type ADDITIONAL_TS_POSSIBLE to indicate that the initiator might want to try again."

Section 2.9

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"CP(CFG_REQUEST) MUST contain at least an INTERNAL_ADDRESS attribute (either IPv4 or IPv6) but MAY contain any number of additional attributes the initiator wants returned in the response."

Section 2.19

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"An IKE peer wishing to inquire about the other peer's IKE software version information MAY use the method below."

Section 2.20

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"A node receiving a suspicious message from an IP address with which it has an IKE_SA MAY send an IKE Notify payload in an IKE INFORMATIONAL exchange over that SA."

Section 2.21

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"A node requesting a CHILD_SA MAY advertise its support for one or more compression algorithms through one or more Notify payloads of type IPCOMP_SUPPORTED. The response MAY indicate acceptance of a single compression algorithm with a Notify payload of type IPCOMP_SUPPORTED."

Section 2.22

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"IPv6-only implementations MAY be configurable to send only ID_IPV6_ADDR."

Section 3.5

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"INVALID_SPI MAY be sent in an IKE INFORMATIONAL exchange when a node receives an ESP or AH packet with an invalid SPI."

Section 3.10.11

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"INVALID_SELECTORS MAY be sent in an IKE INFORMATIONAL exchange when a node receives an ESP or AH packet whose selectors do not match those of the SA on which it was delivered (and that caused  the packet to be dropped)."

Section 3.10.11

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"INITIAL_CONTACT: It MAY be sent when an IKE_SA is established after a crash,…"

Section 3.10.11

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"NAT_DETECTION_SOURCE_IP: There MAY be multiple Notify payloads of this type in a message if the sender does not know which of several network attachments will be used to send the packet."

Section 3.10.11

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"NAT_DETECTION_DESTINATION_IP: Alternately, it MAY reject the connection attempt if NAT traversal is not supported."

Section 3.10.11

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"HTTP_CERT_LOOKUP_SUPPORTED: This notification MAY be included in any message that can include a CERTREQ payload and indicates that the sender is capable of looking up certificates based on an HTTP-based URL."

Section 3.10.11

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"The CFG_REPLY Configuration Payload MAY return that value, or a new one. It MAY also add new attributes and not include some requested ones. Requestors MUST ignore returned attributes that they do not recognize. Some attributes MAY be multi-valued, in which case multiple attribute values of the same type are sent and/or returned."

Section 3.15

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

"INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS: With IPv6, a requestor MAY supply the low-order address bytes it wants to use. Multiple internal addresses MAY be requested by requesting multiple internal address attributes."

Section 3.15.1

Not supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<2> Section 1.3: IKE extensions by operating system cross-reference. Implemented in Windows NT 4.0 operating system, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The following tables describe the extensions that each release supports.

The IKE proposal for Encapsulating Security Payload (ESP) and Authentication Headers (AH) is deprecated in the Windows 7 implementation of IKE version 2 but supported by IKE version 1 in Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

IKE extension

Windows NT 4.0 (with additional download)

Windows 2000

Windows 2000 SP4 post-SP4 rollup

NAT-T

X

X

IKE fragmentation

X

CGA authentication

Fast failover

Negotiation discovery

Reliable delete

X

IKE extension

Windows XP

Windows XP SP2

Windows Server 2003

Windows Vista and Windows Server 2008

Windows 7 and Windows Server 2008 R2

Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2

Windows 10, and Windows Server 2016 Technical Preview

NAT-T

X

X

X

X

X

X

IKE fragmentation

X

X

X

X

X

X

CGA authentication

X

X

X

X

Fast failover

X

X

X

X

X

X

Negotiation discovery

X

X

X

X

Reliable delete

X

X

X

X

X

X

X

IKEv2 SA Correlation

X

X

X

IKEv2 Configuration Attributes

X

X

X

Denial of Service protection

X

X

X

X

X

X

X

Dead Peer Detection

X *

X

Xbox Multiplayer Gaming (IKEv2) Vendor IDs

X

Security Realm (IKEv2) Vendor IDs

X

* Dead Peer Detection is implemented only for IKEv2-based site-to-site IPsec tunnels on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. Dead Peer Detection is not implemented on Windows 8, Windows 8.1, or Windows 10.

<3> Section 1.3.8: IKE extensions by operating system cross reference. Implemented in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The following table describes the extensions that are supported by IKE in each release.

IKE extension

Windows XP SP2

Windows Server 2003

Windows Vista and Windows Server 2008

Windows 7 and Windows Server 2008 R2

Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

IKE/AuthIP co-existence

X

X

X

Exchange information notification payload

X

X

X

X

X

<4> Section 1.7: Algorithms implemented by operating system cross reference. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The following table lists the algorithms that are implemented.

Authentication method

Windows 2000

Windows XP

Windows Server 2003

Windows Vista and Windows Server 2008

Windows 7 and Windows Server 2008 R2

Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

Pre-shared key (as specified in [RFC2409])

X

X

X

X

X

X

RSA signature (as specified in [RFC2409])

X

X

X

X

X

X

Kerberos using GSS-API (as specified in [GSS])

X

X

X

X

X

X

CGA (as specified in [RFC3972])

X

X

X

<5> Section 1.7: Cryptographic parameters implemented by operating system cross reference. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The following tables list the parameters that are implemented.

Diffie-Hellman group

Windows 2000

Windows XP

Windows Server 2003

Windows Vista and Windows Server 2008

Windows 7 and Windows Server 2008 R2

Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

Default 768-bit MODP group (as specified in [RFC2409])

X

X

X

X

X

X

Alternate 1,024-bit MODP group (as specified in [RFC2409])

X

X

X

X

X

X

2,048-bit MODP group (as specified in [RFC3526])

X

X

X

X

ECP256 (as specified in [ECP])

X

X

X

ECP384 (as specified in [ECP])

X

X

X

Authentication algorithm

Windows 2000

Windows XP

Windows Server 2003

Windows Vista and Windows Server 2008

Windows 7 and Windows Server 2008 R2

Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

NULL (as specified in [RFC2410])

X

X

X

X

X

X

HMAC-SHA1-96 (for more information, see [RFC2404])

X

X

X

X

X

X

HMAC-MD5-96 (as specified in [RFC2403])

X

X

X

X

X

X

AES-MAC (for more information, see [RFC4543])

X

X

SHA-256 (for more information, see [SHA256])

X

X

Encryption algorithm

Windows 2000

Windows XP

Windows Server 2003

Windows Vista and Windows Server 2008

Windows 7 and Windows Server 2008 R2

Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

NULL (as specified in [RFC2410])

X

X

X

X

X

X

DES-CBC (for more information, see [RFC2405])

X

X

X

X

X

X

3DES-CBC (as specified in [RFC2451])

X

X

X

X

X

X

AES-CBC with 128, 192, and 256 Bit Keys (for more information, see [RFC3602])

X

X

X

AES-GCM with 128, 192, and 256 Bit Keys (for more information, see [RFC4106])

X

X

<6> Section 1.7: Vendor ID payloads. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The Microsoft implementation of IKE supports the following vendor IDs.

The Microsoft implementation vendor ID (the first rows of the second table that follows, where the common name starts with "Microsoft implementation") is constructed by appending a 32-bit (4-byte) version number in network order to the 128-bit (16-byte) MD5 hash of the "MS NT5 ISAKMPOAKLEY" string. The version number is the additional 4 bytes that denote the Windows operating system version as detailed in the first table that follows.

Operating system version

4-byte version number

Windows 2000

00 00 00 02

Windows XP

00 00 00 03

Windows Server 2003

00 00 00 04

Windows Vista

00 00 00 05

Windows Server 2008

00 00 00 06

Windows 7

00 00 00 07

Windows Server 2008 R2

00 00 00 08

Windows 8

00 00 00 09

Windows Server 2012

00 00 00 09

Windows 8.1

00 00 00 09

Windows Server 2012 R2

00 00 00 09

Windows 10

00 00 00 09

Windows Server 2016 Technical Preview

00 00 00 09

Common name

String representation

Wire representation (MD5 hash of string)

Version

Microsoft implementation Windows 2000

"MS NT5 ISAKMPOAKLEY" + version number 2

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 02

Windows 2000

Microsoft implementation Windows XP

"MS NT5 ISAKMPOAKLEY" + version number 3

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 03

Windows XP

Microsoft implementation Windows Server 2003

"MS NT5 ISAKMPOAKLEY" + version number 4

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 04

Windows Server 2003

Microsoft implementation Windows Vista

"MS NT5 ISAKMPOAKLEY" + version number 5

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 05

Windows Vista

Microsoft implementation Windows Server 2008

"MS NT5 ISAKMPOAKLEY" + version number 6

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 06

Windows Server 2008

Microsoft implementation Windows 7

"MS NT5 ISAKMPOAKLEY" + version number 7

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 07

Windows 7

Microsoft implementation Windows Server 2008 R2

"MS NT5 ISAKMPOAKLEY" + version number 8

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 08

Windows Server 2008 R2

Microsoft implementation Windows 8

"MS NT5 ISAKMPOAKLEY" + version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Windows 8

Microsoft implementation Windows Server 2012

"MS NT5 ISAKMPOAKLEY" + version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Windows Server 2012

Microsoft implementation Windows 8.1

"MS NT5 ISAKMPOAKLEY" + version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Windows 8.1

Microsoft implementation Windows 10

"MS NT5 ISAKMPOAKLEY" + version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Windows 10

Microsoft implementation Windows Server 2012 R2

"MS NT5 ISAKMPOAKLEY" + version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Windows Server 2012 R2

Microsoft implementation Windows Server 2016 Technical Preview

"MS NT5 ISAKMPOAKLEY" + version number 9

1E 2B 51 69 05 99 1C 7D 7C 96 FC BF B5 87 E4 61 00 00 00 09

Windows Server 2016 Technical Preview

Kerberos authentication supported (as specified in [GSS])

"GSSAPI"

62 1B 04 BB 09 88 2A C1 E1 59 35 FE FA 24 AE EE

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

NLB/MSCS fast failover supported

"Vid-Initial-Contact"

26 24 4D 38 ED DB 61 B3 17 2A 36 E3 D0 CF B8 19

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

NLB/MSCS fast failover supported

"NLBS_PRESENT"

72 87 2B 95 FC DA 2E B7 08 EF E3 22 11 9B 49 71

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

Fragmentation avoidance supported

"FRAGMENTATION"

40 48 B7 D5 6E BC E8 85 25 E7 DE 7F 00 D6 C2 D3

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

NAT-T supported

"draft-ietf-ipsec-nat-t-ike-02\n"

90 CB 80 91 3E BB 69 6E 08 63 81 B5 EC 42 7B 1F

Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

NAT-T supported

"RFC 3947"

4A 13 1C 81 07 03 58 45 5C 57 28 F2 0E 95 45 2F

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

AuthIP supported

"MS-MamieExists"

21 4C A4 FA FF A7 F3 2D 67 48 E5 30 33 95 AE 83

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

CGA supported

"IKE CGA version 1"

E3 A5 96 6A 76 37 9F E7 07 22 82 31 E5 CE 86 52

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

Negotiation discovery supported

"MS-Negotiation Discovery Capable"

FB 1D E3 CD F3 41 B7 EA 16 B7 E5 BE 08 55 F1 20

Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview

Microsoft Xbox One 2013

"Microsoft Xbox One 2013"

8A A3 94 CF 8A 55 77 DC 31 10 C1 13 B0 27 A4 F2

Windows 10 and Windows Server 2016 Technical Preview

Xbox IKEv2 Negotiation

"Xbox IKEv2 Negotiation"

66 08 22 B3 A7 3A 24 41 49 57 8D 62 E0 EB 46 A0

Windows 10 and Windows Server 2016 Technical Preview

Security Realm ID

"MSFT IPsec Security Realm Id"

68 6A 8C BD FE 63 4B 40 51 46 FB 2B AF 33 E9 E8

Windows 10 and Windows Server 2016 Technical Preview

<7> Section 2.1: IKE transport port assignments. Implemented in Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. These IKE extensions run on UDP ports 500 and 4500 only.

<8> Section 2.2.1: NAT-T payload types. Implemented in Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The NAT-T payload type values that are used by each Windows version are specified in section 3.2.4.1.

<9> Section 2.2.2: NAT-T UDP encapsulation modes. Implemented in Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The UDP encapsulation mode values used by each Windows version are specified in section 3.2.4.1.

<10> Section 2.2.6: Error codes. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. This field may contain any Windows error code value. For more information about these codes, see [MS-ERREF].

<11> Section 2.2.7:  Error codes. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. This field may take on any Windows error code value. For more information about these codes, see [MS-ERREF].

<12> Section 2.2.10: For Windows implementations, the "MSFT IPsec Security Realm Id" payload is 32 bytes long. The first 16 bytes is the MD5 hash of the vendor ID string. The remaining 16 bytes is an HMAC-MD5 encrypted string that identifies a particular security realm (as discussed in section 1.3.12). The key that is used for this purpose is the string "SecurityRealmPolicyHmacKey".

<13> Section 3.1.5: Initialization vectors (IV) choice for encrypted notifications sent prior to MM SA establishment:

If the peer sent the MS NT5 ISAKMPOAKLEY notify vendor ID and the 4-byte version number is 0x00000002, 0x00000003, 0x0000004, or 0x00000005, (denoting Windows 2000, Windows XP, Windows Server 2003 and Windows Vista, respectively), the IV used in encrypting the notify is the last cipher block of the last sent packet. Otherwise, the IV will be the last cipher block of the last decrypted packet.

<14> Section 3.2: [RFC3947] and [DRAFT-NATT] implementation. Both revisions are implemented in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. Windows 2000 operating system Service Pack 4 (SP4), Windows XP operating system Service Pack 2 (SP2), and Windows Server 2003 implement the [DRAFT-NATT] revision. For more information, see [DRAFT-NATT].

<15> Section 3.2.2: NAT-T keep-alive timer: A keep-alive message is sent every 20 seconds. Implemented in Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Windows Vista operating system with Service Pack 2 (SP2), Windows Server 2008 SP1, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. Windows Vista, Windows Vista operating system with Service Pack 1 (SP1), and Windows Server 2008 do not send keep-alives.

<16> Section 3.2.4.1: [NAT-T IKE] message construction. Implemented in Windows 2000 Server operating system Service Pack 4 (SP4), Windows XP SP2, Windows Server 2003, Windows Vista, Windows Server 2008 operating system, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

NAT-T revision support

Version

[DRAFT-NATT] and [RFC3947]

Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2

[DRAFT-NATT]

Windows 2000 Server SP4, Windows XP SP2, and Windows Server 2003

Windows does not support NAT-T for IPv6 and therefore, does not send the NAT-T vendor IDs for IPv6 negotiations.

<17> Section 3.3.2: Fragmentation timer. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The fragmentation timer is variable.

This timer interval is computed as the sum of the first 2 packet retransmission times. In Windows 2000, Windows XP, and Windows Server 2003, this is started from the IKE exchange (the second round trip in main mode). For Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview, this is started from the first main mode packet of the exchange. This should sum to 3 seconds. However, there is variance in the timer implementation up to ½ second per retransmission. This is an implementation artifact in that the underlying timer implementation is only this accurate. Hence the observed timer will be within the range of 2 to 4 seconds.

  • In Windows 2000, Windows XP, and Windows Server 2003, both the initiator and the responder implement a fragmentation timer.

  • In Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview, only the initiator implements a fragmentation timer.

<18> Section 3.3.2: Fragment reassembly timer: Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The fragment reassembly timer is set to 70 seconds.

<19> Section 3.3.5.3: Fragmentation active flag. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The Fragmentation active flag is set on receipt of a Fragment payload.

<20> Section 3.3.5.3: IKE Message Fragmentation active flag behavior. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. IKE messages are fragmented if the Fragmentation active flag is set, as per the conditions specified in section 3.3.6.1.

<21> Section 3.3.6.1: Expiration of the fragmentation timer. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<22> Section 3.5.4.1: Vendor ID payload. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. In Windows Vista and Windows Server 2008, the host sends the "Vid-Initial-Contact" vendor ID payload if it has no open TCP connections to the peer and new connection attempts cause the retransmission of SYN packets.

<23> Section 3.5.7.1: QM SA idle timer. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The QM SA idle timer is set to 1 minute if the Fast Failover flag is set on the parent MM SA, and it is set to 5 minutes if the Fast Failover flag is not set.

<24> Section 3.6.5.1: Vendor ID processing. Implemented in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. This information is used to evaluate whether the MM SA should be allocated to a different host within the cluster. For more information, see [MSFT-WLBS].

<25> Section 3.8.4.1: Nonce. Implemented in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. Nonces are 32-byte random numbers that are generated from a FIPS-140–compliant random-number generator. For more information, see [FIPS140].

<26> Section 3.8.6.1: Delete Retransmission timer. Implemented in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The first retransmission occurs after 1 second. The time-out is doubled for each subsequent retransmission up to a maximum of six retransmissions. The maximum retransmission interval is capped at 16 seconds; so if the doubling of the previous interval exceeds 16 seconds, 16 seconds is used. The timer is started only if the remote host is a Windows peer, as identified by the "MS NT5 ISAKMPOAKLEY" vendor ID payload.

<27> Section 3.8.7.1:  Shutdown behavior. On shutdown for Windows 2000, Windows XP, and Windows Server 2003, IKE runs as specified in the footnote regarding the delete transmission timer in section 3.8.6.1. Note that the machine may shut down before the maximum number of retransmissions has actually been sent.

<28> Section 3.8.7.2: After a delete has been triggered, Windows immediately sends the delete notify, and delays deleting the MM state internally to handle quick mode delete processing. Also, Windows does not immediately delete the quick mode(s) associated with the MM on receiving the MM delete, but waits for them to be deleted as a result of other protocol events.

<29> Section 3.9.5.1: DOS Protection mode cookie generation. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The Windows implementation uses the following algorithm to generate the cookie (prevTimeSlice is a Boolean input parameter to the algorithm). iCookie is the Initiator Cookie as defined in [RFC2408] section 3.1.

 Set Curtime to the 32 bits number of seconds 
     elapsed since midnight, January 1, 1970
 Set LocalIPaddr to the local IP address in 
     network order
 Set Localport to the 16 bits local listening UDP
     port (500 or 4500) in network order /* This port is the local port that the packet was received on. */
 Set Peerport to the 16 bits remote port in 
     network order
 Set PeerIPaddr to the peer IP address in network order
 Set cookieKey to a 50-byte random number
 Set COOKIE_KEY_TIME to 150 seconds
 If LocalIPaddr and PeerIPaddr are IPv4 addresses then
 Compute localAddr as 01 00 02 00 concatenated with LocalPort concatenated with LocalIPAddr
     concatenated with 26 bytes of 0
 Compute peerAddr as 01 00 02 00 concatenated with peerPort concatenated with peerIPAddr
     concatenated with 26 bytes of 0
 end if
 If LocalIPaddr and PeerIPaddr are IPv6 addresses then
 Compute localAddr as 0x01 0x00 0x02 0x00 concatenated with LocalPort
     concatenated with LocalIPAddr concatenated with 14 bytes of 0
 Compute peerAddr as 0x05 0x00 0x17 0x00 concatenated with peerPort
     concatenated with peerIPAddr concatenated with 14 bytes of 0
 end if
 Compute Curtime as  ((Curtime + COOKIE_KEY_TIME) / COOKIE_KEY_TIME) * COOKIE_KEY_TIME
 If prevTimeSlice is true then
 Compute Curtime as Curtime - COOKIE_KEY_TIME
 End if
 Compute tempCookie as SHA1(cookieKey concatenated with iCookie concatenated with peerAddr
     concatenated with localAddr concatenated with curTime)
 Compute cookie as the first 8 bytes of tempCookie

<30> Section 3.9.5.3: DOS Protection mode cookie validation. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The Windows implementation checks the validity of the Responder Cookie field by regenerating the cookie using the algorithm specified in section 3.9.5.1. The algorithm is as follows.

 Set RCookie to the cookie field from message #2
 Set prevTimeslice to FALSE
 Compute cookie as described in <ref2>  
 If RCookie=cookie then
 RCookie is valid 
 Else
 Set prevTimeslice to TRUE
 Compute cookie as described in <ref2>
 If RCookie=cookie then 
 RCookie is valid
 Else
 RCookie is invalid
 End if
 End if
  

<31> Section 3.9.7: DOS Protection Threshold. Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. In Windows Vista and Windows Server 2008, Windows goes into DOS Protection mode if the number of negotiations for which only one message has been received from any initiator is more than 500. This is detected when the number of MM SAs in the MMSAD (see section 3.1.1) is more than 500, and these SAs have only received one message. For a given IP address, if the number of negotiations for which only one message has been received is above 35, Windows drops new incoming negotiations from this IP address. For this reason, incoming messages have to come from multiple IP addresses in order to trigger the Denial of Service Protection mode. In Windows 2000, Windows XP, or Windows Server 2003, Windows goes into DOS protection mode immediately after setting the registry key and restarting the service.

Windows goes out of DOS Protection mode if the number of MM SAs in the MMSAD for which only one message has been received from any initiator is less than 100.

To enable the Windows DOS Protection mode in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, or Windows Server 2016 Technical Preview, set the following Windows registry DWORD to 1.

SYSTEM\\CurrentControlSet\\Services\\IKEEXT\\Parameters\EnableDOSProtect (DWORD)

To enable Windows DOS Protection mode in Windows 2000, Windows XP, or Windows Server 2003, set the following Windows registry DWORD to 1.

SYSTEM\\CurrentControlSet\\Services\\PolicyAgent\\Oakley\EnableDOSProtect (DWORD). Stop and restart the PolicyAgent service for this setting to take effect.

<32> Section 3.11: This feature is supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<33> Section 3.11.1: This feature is supported in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview.

<34> Section 3.11.5.1: The Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview responder adds this attribute.

<35> Section 3.11.5.2: The Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview initiator processes this attribute.

<36> Section 3.12.1: Dead Peer Detection is implemented only for server-to-server site-to-site-tunnel mode IPsec tunnels on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview. Dead Peer Detection is not implemented on Windows 8, Windows 8.1, or Windows 10 for IKEv2-based VPN (that is, VPN Reconnect).

<37> Section 3.12.7.1: Implemented in Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows Server 2016 Technical Preview. The QM SA idle timer is set to 1 minute if the Fast Failover flag is set on the parent MM SA, and it is set to 5 minutes if the Fast Failover flag is not set.

<38> Section 3.13.1: Implemented for Xbox multiplayer gaming scenarios.

<39> Section 3.13.1: The integer value associated with the "Xbox IKEv2 Negotiation" vendor ID can be 0 or 1. These values denote different types of secure connections for Xbox multiplayer gaming. Their significance is beyond the scope of this document.

<40> Section 3.14.1: Implemented for Xbox multiplayer gaming scenarios.

<41> Section 3.14.1: This data is used to negotiate various IPsec SA proposals and different authentication methods for securing traffic for different game titles.

<42> Section 3.14.5.1: If the IKE_SA_INIT message does not have a "MSFT IPsec Security Realm Id" vendor ID, Windows skips all security realm-based IPsec policies.

<43> Section 3.14.5.1: If a IKEv2 responder receives an IKE_SA_INIT message with "MSFT IPsec Security Realm Id" vendor payload, then the Windows implementation does not send the optional CERTREQ payload ([RFC5996] section 1.2) in the IKE_SA_INIT response message.

Show:
© 2015 Microsoft